From 739a3f9053aff7e1a7fd2c1c5764f20eec22f94f Mon Sep 17 00:00:00 2001 From: Kevin Rowlandson Date: Wed, 9 Mar 2022 14:16:09 +0000 Subject: [PATCH] Add VWAN deployment capability (#287) * Add VWAN capabilities to upstream branch (#250) * Initial MVP for virtual wan and hub resources * Update resource dependencies * Refactor to create dedicated resources for vwan * Refactor to simplify for management resources * Replace `try()` with `lookup()` * Update custom settings for Virtual WAN * Add DNS links for spokes connected to Virtual Hubs * Add virtual hub connections * Fix incorrect VPN gateway name (#251) * Fix incorrect VPN gateway name * Refactor test framework for VWAN additions (#265) * Refactor test deployments * Update minimum supported provider version * Fix linting error * Update root_name * Update unit test pipeline * Fix certificate path error * Rename job display names * Update e2e test pipeline * Update location variable * Remove unused TF_PLAN_OUT variable * Update parallelism environment variable * Update path for terraform destroy * Increase job timeouts for e2e * Update OPA value generator for pwsh * Add `planned_values.json` for each test case * Remove trailing whitespace * Update OPA tests script for new framework * Add OPA tasks to Unit Tests job * Remove `.sh` script (to be unified with `.ps1` version) * Refactor OPA installation scripts * Update execution bit * Update task names * Add readme to test framework * Add VWAN config to connectivity settings * Remove unsupported tags object from config * Update minimum supported version to fix #271 * Fix #271 error deleting firewall * Updates to fix #272 * Fix formatting error on fix for #273 * Fix to prevent lock file versions error * Update rego files to reflect changes for #272 * Updated for latest test framework plans * Update conftest baseline * Add opt-out for `terraform destroy` * Update for remote backend configuration * Update dependsOn for test jobs * Update execution bit on script file * Output variables to pipeline * Update auth config for backend * Update backend config for SPN auth * Update comment * Move random `root_id` generation to strategy job * Add SPN credentials to backend configuration * Do not try to overwrite readonly variable * Rename function for linting error * Remove `use_microsoft_graph` due to error * Add `az logout` step * Troubleshoot `terraform init` error * Map dependent variables * Add `az cli` login to init step * Troubleshoot auth issue for `terraform init` * Add `ARM_CLIENT_SECRET` to `terraform init` steps * Add dependent variables to e2e test jobs * Split e2e tests into multiple jobs * Update condition in test loop * Rename jobs * Update timeout on clean-up * Update condition format * Update dependencies * Update conditions * Update conditions * Update timeout and conditions for e2e tests * Rename tasks * Update logic for `terraform destroy` * Update logic for `terraform destroy` * Update condition * Rename e2e clean-up job --- Makefile | 6 +- README.md | 4 +- ...ectivity-Resources-With-Custom-Settings.md | 2 +- ...Examples]-Deploy-Connectivity-Resources.md | 2 +- ...]-Deploy-Custom-Landing-Zone-Archetypes.md | 2 +- ...[Examples]-Deploy-Default-Configuration.md | 2 +- ...es]-Deploy-Demo-Landing-Zone-Archetypes.md | 2 +- ...Identity-Resources-With-Custom-Settings.md | 2 +- .../[Examples]-Deploy-Identity-Resources.md | 2 +- ...nagement-Resources-With-Custom-Settings.md | 2 +- .../[Examples]-Deploy-Management-Resources.md | 2 +- .../[Examples]-Deploy-Using-Module-Nesting.md | 2 +- ...]-Expand-built-in-archetype-definitions.md | 2 +- ...mples]-Override-Module-Role-Assignments.md | 2 +- docs/wiki/[User-Guide]-Getting-Started.md | 2 +- .../[User-Guide]-Provider-Configuration.md | 4 +- locals.connectivity.tf | 94 +- locals.management.tf | 40 +- locals.policy_assignments.tf | 16 +- locals.tf | 35 +- locals.virtual_wan.tf | 71 + main.tf | 30 +- modules/connectivity/locals.tf | 786 +- modules/connectivity/variables.tf | 76 +- modules/management/locals.tf | 1 - outputs.tf | 3 +- resources.policy_definitions.tf | 10 +- resources.policy_set_definitions.tf | 8 +- resources.virtual_wan.tf | 256 + terraform.tf | 2 +- tests/README.md | 117 + tests/deployment/main.tf | 154 - tests/deployment/planned_values.json | 18242 ---------------- tests/deployment/settings.shared.tf | 6 - tests/modules/settings/outputs.tf | 32 + .../settings}/settings.connectivity.tf | 108 +- .../settings}/settings.core.tf | 24 +- .../settings}/settings.management.tf | 4 +- tests/modules/settings/settings.nested.tf | 21 + tests/modules/settings/settings.shared.tf | 6 + tests/modules/settings/variables.tf | 19 + .../test_001_baseline/client_config.tf | 7 + tests/modules/test_001_baseline/main.tf | 21 + .../test_001_baseline}/outputs.tf | 5 +- .../test_001_baseline/planned_values.json | 5374 +++++ tests/modules/test_001_baseline/providers.tf | 13 + tests/modules/test_001_baseline/settings.tf | 7 + .../test_001_baseline/terraform.tf} | 19 +- .../test_001_baseline}/variables.tf | 23 +- .../test_002_add_custom_core/client_config.tf | 7 + .../modules/test_002_add_custom_core/main.tf | 48 + .../test_002_add_custom_core/outputs.tf | 19 + .../planned_values.json | 6374 ++++++ .../test_002_add_custom_core/providers.tf | 13 + .../test_002_add_custom_core/settings.tf | 7 + .../test_002_add_custom_core/terraform.tf | 15 + .../test_002_add_custom_core/variables.tf | 31 + .../test_003_add_mgmt_conn/client_config.tf | 7 + tests/modules/test_003_add_mgmt_conn/main.tf | 146 + .../modules/test_003_add_mgmt_conn/outputs.tf | 22 + .../planned_values.json | 8054 +++++++ .../test_003_add_mgmt_conn/providers.tf | 13 + .../test_003_add_mgmt_conn/settings.tf | 7 + .../test_003_add_mgmt_conn/terraform.tf | 15 + .../test_003_add_mgmt_conn/variables.tf | 31 + .../archetype_definition_customer_online.json | 0 .../archetype_definition_customer_secure.json | 0 .../archetype_extension_es_root.json | 0 ...ssignment_es_deny_rsg_locations.json.tftpl | 0 ...icy_assignment_test_policy_definition.json | 0 ...assignment_test_policy_set_definition.json | 0 tests/opa/policy/management_groups.rego | 6 +- tests/opa/policy/policy_definitions.rego | 20 +- tests/opa/policy/policy_set_definitions.rego | 20 +- tests/pipelines/spn-generator.yml | 24 +- tests/pipelines/templates/tests-backend.yml | 10 + tests/pipelines/templates/tests-common.yml | 36 +- tests/pipelines/templates/tests-loop.yml | 56 + tests/pipelines/templates/tests-strategy.yml | 18 +- tests/pipelines/tests-e2e.yml | 136 +- tests/pipelines/tests-unit.yml | 40 +- tests/scripts/azp-backend.sh | 73 + tests/scripts/azp-spn-generator.sh | 4 +- tests/scripts/azp-strategy.ps1 | 15 +- .../{opa-install.sh => opa-install-linux.sh} | 0 tests/scripts/opa-install-windows.ps1 | 65 + tests/scripts/opa-run-tests.sh | 34 +- tests/scripts/opa-values-generator.ps1 | 240 +- tests/scripts/opa-values-generator.sh | 107 - tests/scripts/tf-apply.sh | 12 +- tests/scripts/tf-destroy.sh | 16 +- tests/scripts/tf-init.sh | 55 +- tests/scripts/tf-plan.sh | 22 +- tests/scripts/tf-prepare.sh | 65 +- variables.tf | 55 +- 95 files changed, 22394 insertions(+), 19214 deletions(-) create mode 100644 locals.virtual_wan.tf create mode 100644 resources.virtual_wan.tf create mode 100644 tests/README.md delete mode 100644 tests/deployment/main.tf delete mode 100644 tests/deployment/planned_values.json delete mode 100644 tests/deployment/settings.shared.tf create mode 100644 tests/modules/settings/outputs.tf rename tests/{deployment => modules/settings}/settings.connectivity.tf (55%) rename tests/{deployment => modules/settings}/settings.core.tf (90%) rename tests/{deployment => modules/settings}/settings.management.tf (92%) create mode 100644 tests/modules/settings/settings.nested.tf create mode 100644 tests/modules/settings/settings.shared.tf create mode 100644 tests/modules/settings/variables.tf create mode 100644 tests/modules/test_001_baseline/client_config.tf create mode 100644 tests/modules/test_001_baseline/main.tf rename tests/{deployment => modules/test_001_baseline}/outputs.tf (72%) create mode 100644 tests/modules/test_001_baseline/planned_values.json create mode 100644 tests/modules/test_001_baseline/providers.tf create mode 100644 tests/modules/test_001_baseline/settings.tf rename tests/{deployment/provider.tf => modules/test_001_baseline/terraform.tf} (51%) rename tests/{deployment => modules/test_001_baseline}/variables.tf (62%) create mode 100644 tests/modules/test_002_add_custom_core/client_config.tf create mode 100644 tests/modules/test_002_add_custom_core/main.tf create mode 100644 tests/modules/test_002_add_custom_core/outputs.tf create mode 100644 tests/modules/test_002_add_custom_core/planned_values.json create mode 100644 tests/modules/test_002_add_custom_core/providers.tf create mode 100644 tests/modules/test_002_add_custom_core/settings.tf create mode 100644 tests/modules/test_002_add_custom_core/terraform.tf create mode 100644 tests/modules/test_002_add_custom_core/variables.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/client_config.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/main.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/outputs.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/planned_values.json create mode 100644 tests/modules/test_003_add_mgmt_conn/providers.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/settings.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/terraform.tf create mode 100644 tests/modules/test_003_add_mgmt_conn/variables.tf rename tests/{deployment/lib => modules/test_lib}/archetype_definitions/archetype_definition_customer_online.json (100%) rename tests/{deployment/lib => modules/test_lib}/archetype_definitions/archetype_definition_customer_secure.json (100%) rename tests/{deployment/lib => modules/test_lib}/archetype_extensions/archetype_extension_es_root.json (100%) rename tests/{deployment/lib => modules/test_lib}/policy_assignments/policy_assignment_es_deny_rsg_locations.json.tftpl (100%) rename tests/{deployment/lib => modules/test_lib}/policy_assignments/policy_assignment_test_policy_definition.json (100%) rename tests/{deployment/lib => modules/test_lib}/policy_assignments/policy_assignment_test_policy_set_definition.json (100%) create mode 100644 tests/pipelines/templates/tests-backend.yml create mode 100644 tests/pipelines/templates/tests-loop.yml create mode 100755 tests/scripts/azp-backend.sh rename tests/scripts/{opa-install.sh => opa-install-linux.sh} (100%) create mode 100644 tests/scripts/opa-install-windows.ps1 delete mode 100755 tests/scripts/opa-values-generator.sh diff --git a/Makefile b/Makefile index fbcbf7a8..46409a97 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,10 @@ azp-strategy: @echo "==> Running script..." ./tests/scripts/azp-strategy.ps1 +azp-backend: + @echo "==> Running script..." + ./tests/scripts/azp-backend.sh + azp-spn-generator: @echo "==> Running script..." ./tests/scripts/azp-spn-generator.sh @@ -46,7 +50,7 @@ tf-destroy: opa-install: @echo "==> Running script..." - ./tests/scripts/opa-install.sh + ./tests/scripts/opa-install-linux.sh opa-run-tests: @echo "==> Running script..." diff --git a/README.md b/README.md index 7c87a29b..1b359100 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ Please refer to the [Deploy Identity Resources][wiki_deploy_identity_resources] ## Terraform versions -This module has been tested using Terraform `0.15.0` and AzureRM Provider `2.77.0` as a baseline, and various versions to up the most recent at the time of release. +This module has been tested using Terraform `0.15.0` and AzureRM Provider `2.96.0` as a baseline, and various versions to up the most recent at the time of release. In some cases, individual versions of the AzureRM provider may cause errors. If this happens, we advise upgrading to the latest version and checking our [troubleshooting][wiki_troubleshooting] guide before [raising an issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues). @@ -132,7 +132,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md index 4ebff152..2e5dfcdb 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md @@ -66,7 +66,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md index 1a337f10..6882764d 100644 --- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md @@ -46,7 +46,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md index ddb47f5e..5d43e66b 100644 --- a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md +++ b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md @@ -43,7 +43,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Default-Configuration.md b/docs/wiki/[Examples]-Deploy-Default-Configuration.md index b69f4331..504392ba 100644 --- a/docs/wiki/[Examples]-Deploy-Default-Configuration.md +++ b/docs/wiki/[Examples]-Deploy-Default-Configuration.md @@ -25,7 +25,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md index 2b82ae6f..26624b3f 100644 --- a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md +++ b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md @@ -32,7 +32,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md index 1be53757..91077ee6 100644 --- a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md @@ -46,7 +46,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources.md b/docs/wiki/[Examples]-Deploy-Identity-Resources.md index c1c871c8..598889df 100644 --- a/docs/wiki/[Examples]-Deploy-Identity-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Identity-Resources.md @@ -39,7 +39,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md index de6ee334..a322cec7 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md @@ -54,7 +54,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources.md b/docs/wiki/[Examples]-Deploy-Management-Resources.md index 06d8b4b1..64ecd855 100644 --- a/docs/wiki/[Examples]-Deploy-Management-Resources.md +++ b/docs/wiki/[Examples]-Deploy-Management-Resources.md @@ -40,7 +40,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md index be97899d..45123942 100644 --- a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md +++ b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md @@ -83,7 +83,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md index d302f7c1..5a2c7348 100644 --- a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md +++ b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md @@ -77,7 +77,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md index ce22bd38..624e8b8d 100644 --- a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md +++ b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md @@ -51,7 +51,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } diff --git a/docs/wiki/[User-Guide]-Getting-Started.md b/docs/wiki/[User-Guide]-Getting-Started.md index a1497d7e..c67ca09a 100644 --- a/docs/wiki/[User-Guide]-Getting-Started.md +++ b/docs/wiki/[User-Guide]-Getting-Started.md @@ -2,7 +2,7 @@ Before getting started with this module, please take note of the following considerations: -1. This module requires a minimum `azurerm` provider version of `2.77.0`. +1. This module requires a minimum `azurerm` provider version of `2.96.0`. 1. This module requires a minimum Terraform version `0.15.0`. diff --git a/docs/wiki/[User-Guide]-Provider-Configuration.md b/docs/wiki/[User-Guide]-Provider-Configuration.md index e4f18827..7c8060a1 100644 --- a/docs/wiki/[User-Guide]-Provider-Configuration.md +++ b/docs/wiki/[User-Guide]-Provider-Configuration.md @@ -53,7 +53,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" } } } @@ -111,7 +111,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" configuration_aliases = [ azurerm.connectivity, azurerm.management, diff --git a/locals.connectivity.tf b/locals.connectivity.tf index 08015a3e..9120c868 100644 --- a/locals.connectivity.tf +++ b/locals.connectivity.tf @@ -1,174 +1,110 @@ -# The following locals are used to extract the Resource Group -# configuration from the solution module outputs. -locals { - es_connectivity_resource_groups = module.connectivity_resources.configuration.azurerm_resource_group -} - # The following locals are used to build the map of Resource # Groups to deploy. locals { azurerm_resource_group_connectivity = { - for resource in local.es_connectivity_resource_groups : + for resource in module.connectivity_resources.configuration.azurerm_resource_group : resource.resource_id => resource - if resource.managed_by_module + if resource.managed_by_module && + contains(["connectivity", "ddos", "dns"], resource.scope) } } -# The following locals are used to extract the Virtual Network -# configuration from the solution module outputs. -locals { - es_connectivity_virtual_network = module.connectivity_resources.configuration.azurerm_virtual_network -} - # The following locals are used to build the map of Virtual # Networks to deploy. locals { azurerm_virtual_network_connectivity = { - for resource in local.es_connectivity_virtual_network : + for resource in module.connectivity_resources.configuration.azurerm_virtual_network : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Subnets -# configuration from the solution module outputs. -locals { - es_connectivity_subnet = module.connectivity_resources.configuration.azurerm_subnet -} - # The following locals are used to build the map of Subnets # to deploy. locals { azurerm_subnet_connectivity = { - for resource in local.es_connectivity_subnet : + for resource in module.connectivity_resources.configuration.azurerm_subnet : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Virtual Network -# Gateway configuration from the solution module outputs. -locals { - es_connectivity_virtual_network_gateway = module.connectivity_resources.configuration.azurerm_virtual_network_gateway -} - # The following locals are used to build the map of Virtual # Network Gateways to deploy. locals { azurerm_virtual_network_gateway_connectivity = { - for resource in local.es_connectivity_virtual_network_gateway : + for resource in module.connectivity_resources.configuration.azurerm_virtual_network_gateway : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Public IP -# configuration from the solution module outputs. -locals { - es_connectivity_public_ip = module.connectivity_resources.configuration.azurerm_public_ip -} - # The following locals are used to build the map of Public # IPs to deploy. locals { azurerm_public_ip_connectivity = { - for resource in local.es_connectivity_public_ip : + for resource in module.connectivity_resources.configuration.azurerm_public_ip : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Azure Firewall -# configuration from the solution module outputs. -locals { - es_connectivity_firewall = module.connectivity_resources.configuration.azurerm_firewall -} - # The following locals are used to build the map of Azure # Firewalls to deploy. locals { azurerm_firewall_connectivity = { - for resource in local.es_connectivity_firewall : + for resource in module.connectivity_resources.configuration.azurerm_firewall : resource.resource_id => resource - if resource.managed_by_module + if resource.managed_by_module && + resource.scope == "connectivity" } } -# The following locals are used to extract the DDoS Protection -# Plan configuration from the solution module outputs. -locals { - es_connectivity_network_ddos_protection_plan = module.connectivity_resources.configuration.azurerm_network_ddos_protection_plan -} - # The following locals are used to build the map of DDoS # Protection Plans to deploy. locals { azurerm_network_ddos_protection_plan_connectivity = { - for resource in local.es_connectivity_network_ddos_protection_plan : + for resource in module.connectivity_resources.configuration.azurerm_network_ddos_protection_plan : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Private DNS Zone -# configuration from the solution module outputs. -locals { - es_connectivity_private_dns_zone = module.connectivity_resources.configuration.azurerm_private_dns_zone -} - # The following locals are used to build the map of Private DNS # Zones to deploy. locals { azurerm_private_dns_zone_connectivity = { - for resource in local.es_connectivity_private_dns_zone : + for resource in module.connectivity_resources.configuration.azurerm_private_dns_zone : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Public DNS Zone -# configuration from the solution module outputs. -locals { - es_connectivity_dns_zone = module.connectivity_resources.configuration.azurerm_dns_zone -} - # The following locals are used to build the map of Public DNS # Zones to deploy. locals { azurerm_dns_zone_connectivity = { - for resource in local.es_connectivity_dns_zone : + for resource in module.connectivity_resources.configuration.azurerm_dns_zone : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Private DNS Zone -# Virtual Network Links configuration from the solution module outputs. -locals { - es_connectivity_private_dns_zone_virtual_network_link = module.connectivity_resources.configuration.azurerm_private_dns_zone_virtual_network_link -} - # The following locals are used to build the map of Private DNS Zone # Virtual Network Links to deploy. locals { azurerm_private_dns_zone_virtual_network_link_connectivity = { - for resource in local.es_connectivity_private_dns_zone_virtual_network_link : + for resource in module.connectivity_resources.configuration.azurerm_private_dns_zone_virtual_network_link : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Virtual Network -# Peering configuration from the solution module outputs. -locals { - es_connectivity_virtual_network_peering = module.connectivity_resources.configuration.azurerm_virtual_network_peering -} - # The following locals are used to build the map of Virtual # Network Peerings to deploy. locals { azurerm_virtual_network_peering_connectivity = { - for resource in local.es_connectivity_virtual_network_peering : + for resource in module.connectivity_resources.configuration.azurerm_virtual_network_peering : resource.resource_id => resource if resource.managed_by_module } diff --git a/locals.management.tf b/locals.management.tf index 6f1302e2..894edc6b 100644 --- a/locals.management.tf +++ b/locals.management.tf @@ -1,78 +1,48 @@ -# The following locals are used to extract the Resource Group -# configuration from the solution module outputs. -locals { - es_management_resource_groups = module.management_resources.configuration.azurerm_resource_group -} - # The following locals are used to build the map of Resource # Groups to deploy. locals { azurerm_resource_group_management = { - for resource in local.es_management_resource_groups : + for resource in module.management_resources.configuration.azurerm_resource_group : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Log Analytics -# configuration from the solution module outputs. -locals { - es_management_log_analytics_workspaces = module.management_resources.configuration.azurerm_log_analytics_workspace -} - # The following locals are used to build the map of Log # Analytics workspaces to deploy. locals { azurerm_log_analytics_workspace_management = { - for resource in local.es_management_log_analytics_workspaces : + for resource in module.management_resources.configuration.azurerm_log_analytics_workspace : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Log Analytics -# Solutions configuration from the solution module outputs. -locals { - es_management_log_analytics_solution = module.management_resources.configuration.azurerm_log_analytics_solution -} - # The following locals are used to build the map of Log # Analytics workspaces to deploy. locals { azurerm_log_analytics_solution_management = { - for resource in local.es_management_log_analytics_solution : + for resource in module.management_resources.configuration.azurerm_log_analytics_solution : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Automation -# Account configuration from the solution module outputs. -locals { - es_management_automation_account = module.management_resources.configuration.azurerm_automation_account -} - # The following locals are used to build the map of Log # Analytics workspaces to deploy. locals { azurerm_automation_account_management = { - for resource in local.es_management_automation_account : + for resource in module.management_resources.configuration.azurerm_automation_account : resource.resource_id => resource if resource.managed_by_module } } -# The following locals are used to extract the Log Analytics -# Linked Service configuration from the solution module outputs. -locals { - es_management_log_analytics_linked_service = module.management_resources.configuration.azurerm_log_analytics_linked_service -} - # The following locals are used to build the map of Log # Analytics workspaces to deploy. locals { azurerm_log_analytics_linked_service_management = { - for resource in local.es_management_log_analytics_linked_service : + for resource in module.management_resources.configuration.azurerm_log_analytics_linked_service : resource.resource_id => resource if resource.managed_by_module } diff --git a/locals.policy_assignments.tf b/locals.policy_assignments.tf index baa23242..6ffb7582 100644 --- a/locals.policy_assignments.tf +++ b/locals.policy_assignments.tf @@ -85,8 +85,8 @@ locals { azurerm_policy_set_definition_external_lookup = { for policy_set_definition_id in keys(transpose(local.policy_assignments_with_managed_identity_using_external_policy_set_definition)) : policy_set_definition_id => { - name = basename(policy_set_definition_id) - management_group_name = regex(local.regex_split_resource_id, policy_set_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_set_definition_id)[1] : null + name = basename(policy_set_definition_id) + management_group_id = regex(local.regex_split_resource_id, policy_set_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_set_definition_id)[1] : null } } } @@ -96,7 +96,7 @@ data "azurerm_policy_set_definition" "external_lookup" { for_each = local.azurerm_policy_set_definition_external_lookup name = each.value.name - management_group_name = each.value.management_group_name + management_group_name = each.value.management_group_id } # Create a list of Policy Definitions IDs used by all assigned Policy Set Definitions @@ -134,16 +134,16 @@ locals { external_policy_definitions_from_azurerm_policy_set_definition_external_lookup = { for policy_definition_id in local.external_policy_definition_ids_from_policy_set_definitions : policy_definition_id => { - name = basename(policy_definition_id) - management_group_name = regex(local.regex_split_resource_id, policy_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_definition_id)[1] : null + name = basename(policy_definition_id) + management_group_id = regex(local.regex_split_resource_id, policy_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_definition_id)[1] : null } } # From Policy Assignments using Policy Definitions external_policy_definitions_from_internal_policy_assignments = { for policy_definition_id in keys(transpose(local.policy_assignments_with_managed_identity_using_external_policy_definition)) : policy_definition_id => { - name = basename(policy_definition_id) - management_group_name = regex(local.regex_split_resource_id, policy_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_definition_id)[1] : null + name = basename(policy_definition_id) + management_group_id = regex(local.regex_split_resource_id, policy_definition_id)[0] == "/providers/Microsoft.Management/managementGroups/" ? regex(local.regex_split_resource_id, policy_definition_id)[1] : null } } # Then create a single list containing all Policy Definitions to lookup from Azure @@ -158,7 +158,7 @@ data "azurerm_policy_definition" "external_lookup" { for_each = local.azurerm_policy_definition_external_lookup name = each.value.name - management_group_name = each.value.management_group_name + management_group_name = each.value.management_group_id } # Extract the Role Definition IDs from the internal and external diff --git a/locals.tf b/locals.tf index fbb3ccaf..71b1804b 100644 --- a/locals.tf +++ b/locals.tf @@ -42,6 +42,17 @@ locals { disable_base_module_tags = var.disable_base_module_tags } +# The following locals are used to ensure non-null values +# are assigned to each of the corresponding inputs for +# correct processing in `lookup()` functions +locals { + enforcement_mode_default = { + enforcement_mode = null + } + connectivity_resources_advanced = coalesce(local.configure_connectivity_resources.advanced, local.empty_map) + management_resources_advanced = coalesce(local.configure_management_resources.advanced, local.empty_map) +} + # The following locals are used to define a set of module # tags applied to all resources unless disabled by the # input variable "disable_module_tags" and prepare the @@ -109,19 +120,19 @@ locals { default_create_duration_delay = "30s" default_destroy_duration_delay = "0s" create_duration_delay = { - after_azurerm_management_group = try(var.create_duration_delay["azurerm_management_group"], local.default_create_duration_delay) - after_azurerm_policy_assignment = try(var.create_duration_delay["azurerm_policy_assignment"], local.default_create_duration_delay) - after_azurerm_policy_definition = try(var.create_duration_delay["azurerm_policy_definition"], local.default_create_duration_delay) - after_azurerm_policy_set_definition = try(var.create_duration_delay["azurerm_policy_set_definition"], local.default_create_duration_delay) - after_azurerm_role_assignment = try(var.create_duration_delay["azurerm_role_assignment"], local.default_create_duration_delay) - after_azurerm_role_definition = try(var.create_duration_delay["azurerm_role_definition"], local.default_create_duration_delay) + after_azurerm_management_group = lookup(var.create_duration_delay, "azurerm_management_group", local.default_create_duration_delay) + after_azurerm_policy_assignment = lookup(var.create_duration_delay, "azurerm_policy_assignment", local.default_create_duration_delay) + after_azurerm_policy_definition = lookup(var.create_duration_delay, "azurerm_policy_definition", local.default_create_duration_delay) + after_azurerm_policy_set_definition = lookup(var.create_duration_delay, "azurerm_policy_set_definition", local.default_create_duration_delay) + after_azurerm_role_assignment = lookup(var.create_duration_delay, "azurerm_role_assignment", local.default_create_duration_delay) + after_azurerm_role_definition = lookup(var.create_duration_delay, "azurerm_role_definition", local.default_create_duration_delay) } destroy_duration_delay = { - after_azurerm_management_group = try(var.destroy_duration_delay["azurerm_management_group"], local.default_destroy_duration_delay) - after_azurerm_policy_assignment = try(var.destroy_duration_delay["azurerm_policy_assignment"], local.default_destroy_duration_delay) - after_azurerm_policy_definition = try(var.destroy_duration_delay["azurerm_policy_definition"], local.default_destroy_duration_delay) - after_azurerm_policy_set_definition = try(var.destroy_duration_delay["azurerm_policy_set_definition"], local.default_destroy_duration_delay) - after_azurerm_role_assignment = try(var.destroy_duration_delay["azurerm_role_assignment"], local.default_destroy_duration_delay) - after_azurerm_role_definition = try(var.destroy_duration_delay["azurerm_role_definition"], local.default_destroy_duration_delay) + after_azurerm_management_group = lookup(var.destroy_duration_delay, "azurerm_management_group", local.default_destroy_duration_delay) + after_azurerm_policy_assignment = lookup(var.destroy_duration_delay, "azurerm_policy_assignment", local.default_destroy_duration_delay) + after_azurerm_policy_definition = lookup(var.destroy_duration_delay, "azurerm_policy_definition", local.default_destroy_duration_delay) + after_azurerm_policy_set_definition = lookup(var.destroy_duration_delay, "azurerm_policy_set_definition", local.default_destroy_duration_delay) + after_azurerm_role_assignment = lookup(var.destroy_duration_delay, "azurerm_role_assignment", local.default_destroy_duration_delay) + after_azurerm_role_definition = lookup(var.destroy_duration_delay, "azurerm_role_definition", local.default_destroy_duration_delay) } } diff --git a/locals.virtual_wan.tf b/locals.virtual_wan.tf new file mode 100644 index 00000000..16238439 --- /dev/null +++ b/locals.virtual_wan.tf @@ -0,0 +1,71 @@ +# The following locals are used to build the map of Resource +# Groups to deploy. +locals { + azurerm_resource_group_virtual_wan = { + for resource in module.connectivity_resources.configuration.azurerm_resource_group : + resource.resource_id => resource + if resource.managed_by_module && + resource.scope == "virtual_wan" + } +} + +# The following locals are used to build the map of Azure +# Virtual WANs to deploy. +locals { + azurerm_virtual_wan_virtual_wan = { + for resource in module.connectivity_resources.configuration.azurerm_virtual_wan : + resource.resource_id => resource + if resource.managed_by_module + } +} + +# The following locals are used to build the map of Azure +# Virtual Hubs to deploy. +locals { + azurerm_virtual_hub_virtual_wan = { + for resource in module.connectivity_resources.configuration.azurerm_virtual_hub : + resource.resource_id => resource + if resource.managed_by_module + } +} + +# The following locals are used to build the map of Azure +# Expressroute Gateways to deploy. +locals { + azurerm_express_route_gateway_virtual_wan = { + for resource in module.connectivity_resources.configuration.azurerm_express_route_gateway : + resource.resource_id => resource + if resource.managed_by_module + } +} + +# The following locals are used to build the map of Azure +# VPN Gateways to deploy. +locals { + azurerm_vpn_gateway_virtual_wan = { + for resource in module.connectivity_resources.configuration.azurerm_vpn_gateway : + resource.resource_id => resource + if resource.managed_by_module + } +} + +# The following locals are used to build the map of Azure +# Firewalls to deploy. +locals { + azurerm_firewall_virtual_wan = { + for resource in module.connectivity_resources.configuration.azurerm_firewall : + resource.resource_id => resource + if resource.managed_by_module && + resource.scope == "virtual_wan" + } +} + +# The following locals are used to build the map of Virtual +# Network Peerings to deploy. +locals { + azurerm_virtual_hub_connection = { + for resource in module.connectivity_resources.configuration.azurerm_virtual_hub_connection : + resource.resource_id => resource + if resource.managed_by_module + } +} diff --git a/main.tf b/main.tf index c7f5cca2..528bd275 100644 --- a/main.tf +++ b/main.tf @@ -17,9 +17,9 @@ module "management_group_archetypes" { template_file_variables = local.template_file_variables default_location = local.default_location enforcement_mode = merge( - try(module.connectivity_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null), - try(module.identity_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null), - try(module.management_resources.configuration.archetype_config_overrides[basename(each.key)].enforcement_mode, null), + lookup(module.connectivity_resources.configuration.archetype_config_overrides, basename(each.key), local.enforcement_mode_default).enforcement_mode, + lookup(module.identity_resources.configuration.archetype_config_overrides, basename(each.key), local.enforcement_mode_default).enforcement_mode, + lookup(module.management_resources.configuration.archetype_config_overrides, basename(each.key), local.enforcement_mode_default).enforcement_mode, ) } @@ -40,13 +40,13 @@ module "management_resources" { tags = local.management_resources_tags # Optional input variables (advanced configuration) - resource_prefix = try(local.configure_management_resources.advanced.resource_prefix, local.empty_string) - resource_suffix = try(local.configure_management_resources.advanced.resource_suffix, local.empty_string) - existing_resource_group_name = try(local.configure_management_resources.advanced.existing_resource_group_name, local.empty_string) - existing_log_analytics_workspace_resource_id = try(local.configure_management_resources.advanced.existing_log_analytics_workspace_resource_id, local.empty_string) - existing_automation_account_resource_id = try(local.configure_management_resources.advanced.existing_automation_account_resource_id, local.empty_string) - link_log_analytics_to_automation_account = try(local.configure_management_resources.advanced.link_log_analytics_to_automation_account, true) - custom_settings_by_resource_type = try(local.configure_management_resources.advanced.custom_settings_by_resource_type, local.empty_map) + resource_prefix = lookup(local.management_resources_advanced, "resource_prefix", local.empty_string) + resource_suffix = lookup(local.management_resources_advanced, "resource_suffix", local.empty_string) + existing_resource_group_name = lookup(local.management_resources_advanced, "existing_resource_group_name", local.empty_string) + existing_log_analytics_workspace_resource_id = lookup(local.management_resources_advanced, "existing_log_analytics_workspace_resource_id", local.empty_string) + existing_automation_account_resource_id = lookup(local.management_resources_advanced, "existing_automation_account_resource_id", local.empty_string) + link_log_analytics_to_automation_account = lookup(local.management_resources_advanced, "link_log_analytics_to_automation_account", true) + custom_settings_by_resource_type = lookup(local.management_resources_advanced, "custom_settings_by_resource_type", local.empty_map) } # The following module is used to generate the configuration @@ -78,8 +78,10 @@ module "connectivity_resources" { tags = local.connectivity_resources_tags # Optional input variables (advanced configuration) - resource_prefix = try(local.configure_connectivity_resources.advanced.resource_prefix, local.empty_string) - resource_suffix = try(local.configure_connectivity_resources.advanced.resource_suffix, local.empty_string) - existing_ddos_protection_plan_resource_id = try(local.configure_connectivity_resources.advanced.existing_resource_group_name, local.empty_string) - custom_settings_by_resource_type = try(local.configure_connectivity_resources.advanced.custom_settings_by_resource_type, local.empty_map) + resource_prefix = lookup(local.connectivity_resources_advanced, "resource_prefix", null) + resource_suffix = lookup(local.connectivity_resources_advanced, "resource_suffix", null) + existing_ddos_protection_plan_resource_id = lookup(local.connectivity_resources_advanced, "existing_ddos_protection_plan_resource_id", null) + existing_virtual_wan_resource_id = lookup(local.connectivity_resources_advanced, "existing_virtual_wan_resource_id", null) + resource_group_per_virtual_hub_location = lookup(local.connectivity_resources_advanced, "resource_group_per_virtual_hub_location", false) + custom_settings_by_resource_type = lookup(local.connectivity_resources_advanced, "custom_settings_by_resource_type", null) } diff --git a/modules/connectivity/locals.tf b/modules/connectivity/locals.tf index 87ca2917..b25d579c 100644 --- a/modules/connectivity/locals.tf +++ b/modules/connectivity/locals.tf @@ -19,8 +19,10 @@ locals { location = var.location tags = var.tags resource_prefix = coalesce(var.resource_prefix, local.root_id) - resource_suffix = length(var.resource_suffix) > 0 ? "-${var.resource_suffix}" : local.empty_string + resource_suffix = var.resource_suffix != null ? "-${var.resource_suffix}" : local.empty_string existing_ddos_protection_plan_resource_id = var.existing_ddos_protection_plan_resource_id + existing_virtual_wan_resource_id = var.existing_virtual_wan_resource_id != null ? var.existing_virtual_wan_resource_id : local.empty_string + resource_group_per_virtual_hub_location = var.resource_group_per_virtual_hub_location custom_settings = var.custom_settings_by_resource_type } @@ -36,22 +38,91 @@ locals { coalesce(hub_network.config.location, local.location) => hub_network } hub_network_locations = keys(local.hub_networks_by_location) - ddos_location = coalesce(local.settings.ddos_protection_plan.config.location, local.location) - dns_location = coalesce(local.settings.dns.config.location, local.location) + virtual_hubs = local.settings.vwan_hub_networks + # We generate the virtual_hubs_by_location as a map + # to ensure the user has provided unique values for + # each hub location. If duplicates are found, + # terraform will throw an error at this point. + # By default we recommend creating all Virtual WAN + # resources in a single Resource Group as per: + # https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#can-hubs-be-created-in-different-resource-group-in-virtual-wan + # As this is only an issue for customers using the + # Portal to manage Virtual WAN resources, the following + # logic is used to allow a customer to use dedicated Resource + # Groups per location if preferred. + virtual_hubs_by_location = { + for virtual_hub in local.virtual_hubs : + coalesce(virtual_hub.config.location, local.location) => virtual_hub + } + virtual_hubs_by_location_for_resource_group_per_location = { + for virtual_hub in local.virtual_hubs : + coalesce(virtual_hub.config.location, local.location) => virtual_hub + if local.resource_group_per_virtual_hub_location + } + virtual_hubs_by_location_for_shared_resource_group = { + for virtual_hub in local.virtual_hubs : + coalesce(virtual_hub.config.location, local.location) => virtual_hub + if !local.resource_group_per_virtual_hub_location + } + # The following objects are used to identify azurerm_virtual_hub + # resources which need to be associated with a new or existing + # azurerm_virtual_wan resource + virtual_hubs_by_location_for_managed_virtual_wan = { + for virtual_hub in local.virtual_hubs : + coalesce(virtual_hub.config.location, local.location) => virtual_hub + if local.existing_virtual_wan_resource_id == "" + } + virtual_hubs_by_location_for_existing_virtual_wan = { + for virtual_hub in local.virtual_hubs : + coalesce(virtual_hub.config.location, local.location) => virtual_hub + if local.existing_virtual_wan_resource_id != "" + } + # Need to know the full list of virtual_hub_locations + # for azurerm_virtual_hub resource deployments. + virtual_hub_locations = keys(local.virtual_hubs_by_location) + # The azurerm_virtual_wan resource will be created in the + # default location of the connectivity module if a new. + virtual_wan_locations = anytrue( + [ + length(local.virtual_hubs_by_location_for_managed_virtual_wan) > 0, + length(local.virtual_hubs_by_location_for_shared_resource_group) > 0, + ] + ) ? [local.location, ] : local.empty_list + ddos_location = coalesce(local.settings.ddos_protection_plan.config.location, local.location) + dns_location = coalesce(local.settings.dns.config.location, local.location) + connectivity_locations = distinct(concat( + local.hub_network_locations, + keys(local.virtual_hubs_by_location_for_resource_group_per_location), + )) + result_when_location_missing = { + enabled = false + } } - # Logic to determine whether specific resources # should be created by this module +# - Resource Groups locals { - deploy_ddos_protection_plan = local.enabled && local.settings.ddos_protection_plan.enabled - deploy_dns = local.enabled && local.settings.dns.enabled deploy_resource_groups = { connectivity = { - for location, hub_network in local.hub_networks_by_location : + for location in local.connectivity_locations : location => local.enabled && - hub_network.enabled + anytrue( + [ + lookup(local.hub_networks_by_location, location, local.result_when_location_missing).enabled, + lookup(local.virtual_hubs_by_location_for_resource_group_per_location, location, local.result_when_location_missing).enabled, + ] + ) + } + virtual_wan = { + for location in local.virtual_wan_locations : + location => + local.enabled && + anytrue(concat( + values(local.virtual_hubs_by_location_for_managed_virtual_wan).*.enabled, + values(local.virtual_hubs_by_location_for_shared_resource_group).*.enabled, + )) } ddos = { (local.ddos_location) = local.deploy_ddos_protection_plan @@ -60,6 +131,28 @@ locals { (local.dns_location) = local.deploy_dns } } +} + +# Logic to determine whether specific resources +# should be created by this module +# - DDoS Protection Plan +locals { + deploy_ddos_protection_plan = local.enabled && local.settings.ddos_protection_plan.enabled +} + +# Logic to determine whether specific resources +# should be created by this module +# - DNS +locals { + deploy_dns = local.enabled && local.settings.dns.enabled + deploy_private_dns_zone_virtual_network_link_on_hubs = local.deploy_dns && local.settings.dns.config.enable_private_dns_zone_virtual_network_link_on_hubs + deploy_private_dns_zone_virtual_network_link_on_spokes = local.deploy_dns && local.settings.dns.config.enable_private_dns_zone_virtual_network_link_on_spokes +} + +# Logic to determine whether specific resources +# should be created by this module +# - Hub networks +locals { deploy_hub_network = { for location, hub_network in local.hub_networks_by_location : location => @@ -73,7 +166,7 @@ locals { hub_network.config.virtual_network_gateway.enabled && hub_network.config.virtual_network_gateway.config.address_prefix != local.empty_string } - deploy_virtual_network_gateway_expressroute = { + deploy_virtual_network_gateway_express_route = { for location, hub_network in local.hub_networks_by_location : location => local.deploy_virtual_network_gateway[location] && @@ -95,10 +188,52 @@ locals { for location, hub_network in local.hub_networks_by_location : location => local.deploy_dns && + local.deploy_hub_network[location] && hub_network.config.enable_outbound_virtual_network_peering } - deploy_private_dns_zone_virtual_network_link_on_hubs = local.deploy_dns && local.settings.dns.config.enable_private_dns_zone_virtual_network_link_on_hubs - deploy_private_dns_zone_virtual_network_link_on_spokes = local.deploy_dns && local.settings.dns.config.enable_private_dns_zone_virtual_network_link_on_spokes +} + +# Logic to determine whether specific resources +# should be created by this module +# - VWAN hub networks +locals { + deploy_virtual_wan = { + (local.location) = ( + local.enabled && + local.existing_virtual_wan_resource_id == "" && + anytrue(values(local.deploy_virtual_hub)) + ) + } + deploy_virtual_hub = { + for location, virtual_hub in local.virtual_hubs_by_location : + location => + local.enabled && + virtual_hub.enabled + } + deploy_virtual_hub_express_route_gateway = { + for location, virtual_hub in local.virtual_hubs_by_location : + location => + local.deploy_virtual_hub[location] && + virtual_hub.config.expressroute_gateway.enabled + } + deploy_virtual_hub_vpn_gateway = { + for location, virtual_hub in local.virtual_hubs_by_location : + location => + local.deploy_virtual_hub[location] && + virtual_hub.config.vpn_gateway.enabled + } + deploy_virtual_hub_azure_firewall = { + for location, virtual_hub in local.virtual_hubs_by_location : + location => + local.deploy_virtual_hub[location] && + virtual_hub.config.azure_firewall.enabled + } + deploy_virtual_hub_connection = { + for location, virtual_hub in local.virtual_hubs_by_location : + location => + local.deploy_virtual_hub[location] && + virtual_hub.config.enable_virtual_hub_connections + } } # Configuration settings for resource type: @@ -107,11 +242,17 @@ locals { # Determine the name of each Resource Group per scope and location resource_group_names_by_scope_and_location = { connectivity = { - for location in local.hub_network_locations : + for location in local.connectivity_locations : location => try(local.custom_settings.azurerm_resource_group["connectivity"][location].name, "${local.resource_prefix}-connectivity-${location}${local.resource_suffix}") } + virtual_wan = { + for location in local.virtual_wan_locations : + location => + try(local.custom_settings.azurerm_resource_group["virtual_wan"][location].name, + "${local.resource_prefix}-connectivity${local.resource_suffix}") + } ddos = { (local.ddos_location) = try(local.custom_settings.azurerm_resource_group["ddos"][local.ddos_location].name, "${local.resource_prefix}-ddos${local.resource_suffix}") @@ -315,7 +456,7 @@ locals { { # Resource logic attributes resource_id = local.er_gateway_resource_id[location] - managed_by_module = local.deploy_virtual_network_gateway_expressroute[location] + managed_by_module = local.deploy_virtual_network_gateway_express_route[location] # Resource definition attributes name = local.er_gateway_name[location] resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] @@ -348,7 +489,7 @@ locals { azurerm_public_ip = { # Resource logic attributes resource_id = "${local.virtual_network_resource_group_id[location]}/providers/Microsoft.Network/publicIPAddresses/${local.er_gateway_name[location]}-pip" - managed_by_module = local.deploy_virtual_network_gateway_expressroute[location] + managed_by_module = local.deploy_virtual_network_gateway_express_route[location] # Resource definition attributes name = "${local.er_gateway_name[location]}-pip" resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] @@ -471,21 +612,36 @@ locals { # Configuration settings for resource type: # - azurerm_firewall +# For VWAN, VPN gateway is required for Security Partner Provider integration locals { azfw_name = { for location in local.hub_network_locations : location => "${local.resource_prefix}-fw-${location}${local.resource_suffix}" } + virtual_hub_azfw_name = { + for location in local.virtual_hub_locations : + location => "${local.resource_prefix}-fw-hub-${location}${local.resource_suffix}" + } azfw_resource_id_prefix = { for location in local.hub_network_locations : location => "${local.virtual_network_resource_group_id[location]}/providers/Microsoft.Network/azureFirewalls" } + virtual_hub_azfw_resource_id_prefix = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_resource_group_id[location]}/providers/Microsoft.Network/azureFirewalls" + } azfw_resource_id = { for location in local.hub_network_locations : location => "${local.azfw_resource_id_prefix[location]}/${local.azfw_name[location]}" } + virtual_hub_azfw_resource_id = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_azfw_resource_id_prefix[location]}/${local.virtual_hub_azfw_name[location]}" + } azfw_zones = { for location, hub_network in local.hub_networks_by_location : location => @@ -502,59 +658,302 @@ locals { location => length(local.azfw_zones[location]) > 0 } - azurerm_firewall = [ - for location, hub_network in local.hub_networks_by_location : - { - # Resource logic attributes - resource_id = local.azfw_resource_id[location] - managed_by_module = local.deploy_azure_firewall[location] - # Resource definition attributes - name = local.azfw_name[location] - resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] - location = location - ip_configuration = try( - local.custom_settings.azurerm_firewall["connectivity"][location].ip_configuration, - [ + azurerm_firewall = concat( + [ + for location, hub_network in local.hub_networks_by_location : + { + # Resource logic attributes + resource_id = local.azfw_resource_id[location] + managed_by_module = local.deploy_azure_firewall[location] + scope = "connectivity" + # Resource definition attributes + name = local.azfw_name[location] + resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] + location = location + ip_configuration = try( + local.custom_settings.azurerm_firewall["connectivity"][location].ip_configuration, + [ + { + name = "${local.azfw_name[location]}-pip" + public_ip_address_id = "${local.virtual_network_resource_group_id[location]}/providers/Microsoft.Network/publicIPAddresses/${local.azfw_name[location]}-pip" + subnet_id = "${local.virtual_network_resource_id[location]}/subnets/AzureFirewallSubnet" + } + ] + ) + sku_name = "AZFW_VNet" + sku_tier = try(local.custom_settings.azurerm_firewall["connectivity"][location].sku_tier, "Standard") + firewall_policy_id = try(local.custom_settings.azurerm_firewall["connectivity"][location].firewall_policy_id, null) + dns_servers = try(local.custom_settings.azurerm_firewall["connectivity"][location].dns_servers, null) + private_ip_ranges = try(local.custom_settings.azurerm_firewall["connectivity"][location].private_ip_ranges, null) + management_ip_configuration = try(local.custom_settings.azurerm_firewall["connectivity"][location].management_ip_configuration, local.empty_list) + threat_intel_mode = try(local.custom_settings.azurerm_firewall["connectivity"][location].threat_intel_mode, null) + virtual_hub = local.empty_list + zones = try(local.custom_settings.azurerm_firewall["connectivity"][location].zones, local.azfw_zones[location]) + tags = try(local.custom_settings.azurerm_firewall["connectivity"][location].tags, local.tags) + # Child resource definition attributes + azurerm_public_ip = { + # Resource logic attributes + resource_id = "${local.virtual_network_resource_group_id[location]}/providers/Microsoft.Network/publicIPAddresses/${local.azfw_name[location]}-pip" + managed_by_module = local.deploy_azure_firewall[location] + # Resource definition attributes + name = "${local.azfw_name[location]}-pip" + resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] + location = location + sku = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].sku, "Standard") + allocation_method = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].allocation_method, "Static") + ip_version = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].ip_version, null) + idle_timeout_in_minutes = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].idle_timeout_in_minutes, null) + domain_name_label = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].domain_name_label, null) + reverse_fqdn = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].reverse_fqdn, null) + public_ip_prefix_id = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].public_ip_prefix_id, null) + ip_tags = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].ip_tags, null) + tags = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].tags, local.tags) + availability_zone = try( + local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].availability_zone, + local.azfw_zones_enabled[location] ? "Zone-Redundant" : "No-Zone" + ) + } + } + ], + [ + for location, virtual_hub in local.virtual_hubs_by_location : + { + # Resource logic attributes + resource_id = local.virtual_hub_azfw_resource_id[location] + managed_by_module = local.deploy_virtual_hub_azure_firewall[location] + scope = "virtual_wan" + # Resource definition attributes + name = local.virtual_hub_azfw_name[location] + resource_group_name = local.virtual_hub_resource_group_name[location] + location = location + ip_configuration = try( + local.custom_settings.azurerm_firewall["virtual_wan"][location].ip_configuration, + local.empty_list + ) + sku_name = "AZFW_Hub" + sku_tier = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].sku_tier, "Standard") + firewall_policy_id = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].firewall_policy_id, null) + dns_servers = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].dns_servers, null) + private_ip_ranges = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].private_ip_ranges, null) + management_ip_configuration = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].management_ip_configuration, local.empty_list) + threat_intel_mode = "" # If virtual_hub_settting is specified, the threat_intel_mode has to be explicitly set as "". + virtual_hub = [ { - name = "${local.azfw_name[location]}-pip" - public_ip_address_id = "${local.virtual_network_resource_group_id[location]}/providers/Microsoft.Network/publicIPAddresses/${local.azfw_name[location]}-pip" - subnet_id = "${local.virtual_network_resource_id[location]}/subnets/AzureFirewallSubnet" + virtual_hub_id = local.virtual_hub_resource_id[location] + public_ip_count = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].virtual_hub[0].public_ip_count, 1) } ] - ) - sku_name = try(local.custom_settings.azurerm_firewall["connectivity"][location].sku_name, "AZFW_VNet") - sku_tier = try(local.custom_settings.azurerm_firewall["connectivity"][location].sku_tier, "Standard") - firewall_policy_id = try(local.custom_settings.azurerm_firewall["connectivity"][location].firewall_policy_id, null) - dns_servers = try(local.custom_settings.azurerm_firewall["connectivity"][location].dns_servers, null) - private_ip_ranges = try(local.custom_settings.azurerm_firewall["connectivity"][location].private_ip_ranges, null) - management_ip_configuration = try(local.custom_settings.azurerm_firewall["connectivity"][location].management_ip_configuration, local.empty_list) - threat_intel_mode = try(local.custom_settings.azurerm_firewall["connectivity"][location].threat_intel_mode, null) - virtual_hub = try(local.custom_settings.azurerm_firewall["connectivity"][location].virtual_hub, local.empty_list) - zones = try(local.custom_settings.azurerm_firewall["connectivity"][location].zones, local.azfw_zones[location]) - tags = try(local.custom_settings.azurerm_firewall["connectivity"][location].tags, local.tags) - # Child resource definition attributes - azurerm_public_ip = { - # Resource logic attributes - resource_id = "${local.virtual_network_resource_group_id[location]}/providers/Microsoft.Network/publicIPAddresses/${local.azfw_name[location]}-pip" - managed_by_module = local.deploy_azure_firewall[location] - # Resource definition attributes - name = "${local.azfw_name[location]}-pip" - resource_group_name = local.resource_group_names_by_scope_and_location["connectivity"][location] - location = location - sku = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].sku, "Standard") - allocation_method = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].allocation_method, "Static") - ip_version = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].ip_version, null) - idle_timeout_in_minutes = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].idle_timeout_in_minutes, null) - domain_name_label = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].domain_name_label, null) - reverse_fqdn = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].reverse_fqdn, null) - public_ip_prefix_id = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].public_ip_prefix_id, null) - ip_tags = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].ip_tags, null) - tags = try(local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].tags, local.tags) - availability_zone = try( - local.custom_settings.azurerm_public_ip["connectivity"]["azfw"][location].availability_zone, - local.azfw_zones_enabled[location] ? "Zone-Redundant" : "No-Zone" - ) + zones = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].zones, null) + tags = try(local.custom_settings.azurerm_firewall["virtual_wan"][location].tags, local.tags) + # Child resource definition attributes + azurerm_public_ip = {} } + ] + ) +} + +# Configuration settings for resource type: +# - azurerm_virtual_wan +# We only support creation of a single azurerm_virtual_wan resource +# per module deployment. This uses the default location set at the +# scope of the connectivity child module. +locals { + virtual_wan_name = { + for location in local.virtual_wan_locations : + location => + try(local.custom_settings.azurerm_virtual_wan["virtual_wan"][location].name, + "${local.resource_prefix}-vwan-${location}${local.resource_suffix}") + } + virtual_wan_resource_group_id = { + for location in local.virtual_wan_locations : + location => + local.resource_group_config_by_scope_and_location["virtual_wan"][location].resource_id + } + virtual_wan_resource_id_prefix = { + for location in local.virtual_wan_locations : + location => + "${local.virtual_wan_resource_group_id[location]}/providers/Microsoft.Network/virtualWans" + } + virtual_wan_resource_id = { + for location in local.virtual_wan_locations : + location => + "${local.virtual_wan_resource_id_prefix[location]}/${local.virtual_wan_name[location]}" + } + azurerm_virtual_wan = [ + for location in local.virtual_wan_locations : + { + # Resource logic attributes + resource_id = local.virtual_wan_resource_id[location] + managed_by_module = local.deploy_virtual_wan[location] + # Resource definition attributes + name = local.virtual_wan_name[location] + resource_group_name = local.resource_group_names_by_scope_and_location["virtual_wan"][location] + location = location + # Optional definition attributes + disable_vpn_encryption = try(local.custom_settings.azurerm_virtual_wan["virtual_wan"][location].disable_vpn_encryption, false) + allow_branch_to_branch_traffic = try(local.custom_settings.azurerm_virtual_wan["virtual_wan"][location].allow_branch_to_branch_traffic, true) + office365_local_breakout_category = try(local.custom_settings.azurerm_virtual_wan["virtual_wan"][location].office365_local_breakout_category, "None") + type = try(local.custom_settings.azurerm_virtual_wan["virtual_wan"][location].type, "Standard") + tags = try(local.custom_settings.azurerm_virtual_wan["virtual_wan"][location].tags, local.tags) + } + ] +} + +# Configuration settings for resource type: +# - azurerm_virtual_hub +locals { + virtual_hub_name = { + for location in local.virtual_hub_locations : + location => + try(local.custom_settings.azurerm_virtual_hub["virtual_wan"][location].name, + "${local.resource_prefix}-hub-${location}${local.resource_suffix}") + } + virtual_hub_resource_group_name = { + for location in local.virtual_hub_locations : + location => ( + contains(keys(local.virtual_hubs_by_location_for_resource_group_per_location), location) ? + local.resource_group_names_by_scope_and_location["connectivity"][location] : + local.resource_group_names_by_scope_and_location["virtual_wan"][local.virtual_wan_locations[0]] + ) + } + virtual_hub_resource_group_id = { + for location in local.virtual_hub_locations : + location => ( + contains(keys(local.virtual_hubs_by_location_for_resource_group_per_location), location) ? + local.resource_group_config_by_scope_and_location["connectivity"][location].resource_id : + local.resource_group_config_by_scope_and_location["virtual_wan"][local.virtual_wan_locations[0]].resource_id + ) + } + virtual_hub_resource_id_prefix = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_resource_group_id[location]}/providers/Microsoft.Network/virtualHubs" + } + virtual_hub_resource_id = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_resource_id_prefix[location]}/${local.virtual_hub_name[location]}" + } + azurerm_virtual_hub = [ + for location, virtual_hub in local.virtual_hubs_by_location : + { + # Resource logic attributes + resource_id = local.virtual_hub_resource_id[location] + managed_by_module = local.deploy_virtual_hub[location] + # Resource definition attributes + name = local.virtual_hub_name[location] + resource_group_name = local.virtual_hub_resource_group_name[location] + location = location + # Optional definition attributes + sku = coalesce(virtual_hub.config.sku, "Standard") + address_prefix = virtual_hub.config.address_prefix + virtual_wan_id = length(local.existing_virtual_wan_resource_id) > 0 ? local.existing_virtual_wan_resource_id : ( + length(local.virtual_wan_locations) > 0 ? + lookup(local.virtual_wan_resource_id, local.virtual_wan_locations[0], null) : + null + ) + tags = try(local.custom_settings.azurerm_virtual_hub["virtual_wan"][location].tags, local.tags) + route = [ + for route in virtual_hub.config.routes : + { + address_prefixes = route.address_prefixes + next_hop_ip_address = route.next_hop_ip_address + } + ] + } + ] +} + +# Configuration settings for resource type: +# - azurerm_express_route_gateway +locals { + virtual_hub_express_route_gateway_name = { + for location in local.virtual_hub_locations : + location => + try(local.custom_settings.azurerm_express_route_gateway["virtual_wan"][location].name, + "${local.resource_prefix}-ergw-${location}${local.resource_suffix}") + } + virtual_hub_express_route_gateway_resource_id_prefix = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_resource_group_id[location]}/providers/Microsoft.Network/expressRouteGateways" + } + virtual_hub_express_route_gateway_resource_id = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_express_route_gateway_resource_id_prefix[location]}/${local.virtual_hub_express_route_gateway_name[location]}" + } + azurerm_express_route_gateway = [ + for location, virtual_hub in local.virtual_hubs_by_location : + { + # Resource logic attributes + resource_id = local.virtual_hub_express_route_gateway_resource_id[location] + managed_by_module = local.deploy_virtual_hub_express_route_gateway[location] + # Resource definition attributes + name = local.virtual_hub_express_route_gateway_name[location] + resource_group_name = local.virtual_hub_resource_group_name[location] + location = location + virtual_hub_id = local.virtual_hub_resource_id[location] + scale_units = virtual_hub.config.expressroute_gateway.config.scale_unit + # Optional definition attributes + tags = try(local.custom_settings.azurerm_express_route_gateway["virtual_wan"][location].tags, local.tags) + } + ] +} + +# Configuration settings for resource type: +# - azurerm_vpn_gateway +locals { + virtual_hub_vpn_gateway_name = { + for location in local.virtual_hub_locations : + location => + try(local.custom_settings.azurerm_vpn_gateway["virtual_wan"][location].name, + "${local.resource_prefix}-vpngw-${location}${local.resource_suffix}") + } + virtual_hub_vpn_gateway_resource_id_prefix = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_resource_group_id[location]}/providers/Microsoft.Network/expressRouteGateways" + } + virtual_hub_vpn_gateway_resource_id = { + for location in local.virtual_hub_locations : + location => + "${local.virtual_hub_vpn_gateway_resource_id_prefix[location]}/${local.virtual_hub_vpn_gateway_name[location]}" + } + azurerm_vpn_gateway = [ + for location, virtual_hub in local.virtual_hubs_by_location : + { + # Resource logic attributes + resource_id = local.virtual_hub_vpn_gateway_resource_id[location] + managed_by_module = local.deploy_virtual_hub_vpn_gateway[location] + # Resource definition attributes + name = local.virtual_hub_vpn_gateway_name[location] + resource_group_name = local.virtual_hub_resource_group_name[location] + location = location + virtual_hub_id = local.virtual_hub_resource_id[location] + # Optional definition attributes + routing_preference = coalesce(virtual_hub.config.vpn_gateway.config.routing_preference, "Microsoft Network") + scale_unit = virtual_hub.config.vpn_gateway.config.scale_unit + tags = try(local.custom_settings.azurerm_vpn_gateway["virtual_wan"][location].tags, local.tags) + bgp_settings = [ + for bgp_setting in virtual_hub.config.vpn_gateway.config.bgp_settings : + { + asn = bgp_setting.asn + peer_weight = bgp_setting.peer_weight + instance_0_bgp_peering_address = [ + for instance_bgp_peering_address in bgp_setting.instance_0_bgp_peering_address : + { + custom_ips = instance_bgp_peering_address.custom_ips + } + ] + instance_1_bgp_peering_address = [ + for instance_bgp_peering_address in bgp_setting.instance_1_bgp_peering_address : + { + custom_ips = instance_bgp_peering_address.custom_ips + } + ] + } + ] } ] } @@ -562,10 +961,14 @@ locals { # Configuration settings for resource type: # - azurerm_public_ip locals { - azurerm_public_ip = concat( - local.azurerm_virtual_network_gateway.*.azurerm_public_ip, - local.azurerm_firewall.*.azurerm_public_ip, - ) + azurerm_public_ip = [ + for azurerm_public_ip in concat( + local.azurerm_virtual_network_gateway.*.azurerm_public_ip, + local.azurerm_firewall.*.azurerm_public_ip, + ) : + azurerm_public_ip + if length(azurerm_public_ip) > 0 + ] } # Configuration settings for resource type: @@ -749,7 +1152,7 @@ locals { managed_by_module = local.deploy_private_dns_zone_virtual_network_link_on_hubs } ] - spoke_virtual_networks_for_dns = flatten( + spoke_virtual_networks_for_dns = flatten([ [ for location, hub_config in local.hub_networks_by_location : [ @@ -760,12 +1163,26 @@ locals { managed_by_module = local.deploy_private_dns_zone_virtual_network_link_on_spokes } ] + ], + [ + for location, virtual_hub_config in local.virtual_hubs_by_location : + [ + for spoke_resource_id in virtual_hub_config.config.spoke_virtual_network_resource_ids : + { + resource_id = spoke_resource_id + name = "${split("/", spoke_resource_id)[2]}-${uuidv5("url", spoke_resource_id)}" + managed_by_module = local.deploy_private_dns_zone_virtual_network_link_on_spokes + } + ] ] - ) - virtual_networks_for_dns = concat( + ]) + # Distinct is used to allow for situations where + # the same spoke is associated with multiple hub + # networks for peering. + virtual_networks_for_dns = distinct(concat( local.hub_virtual_networks_for_dns, local.spoke_virtual_networks_for_dns, - ) + )) azurerm_private_dns_zone_virtual_network_link = flatten( [ for zone in local.azurerm_private_dns_zone : @@ -817,6 +1234,31 @@ locals { ) } +# Configuration settings for resource type: +# - azurerm_virtual_hub_connection +locals { + azurerm_virtual_hub_connection = flatten( + [ + for location, virtual_hub_config in local.virtual_hubs_by_location : + [ + for spoke_resource_id in virtual_hub_config.config.spoke_virtual_network_resource_ids : + { + # Resource logic attributes + resource_id = "${local.virtual_hub_resource_id[location]}/hubVirtualNetworkConnections/peering-${uuidv5("url", spoke_resource_id)}" + managed_by_module = local.deploy_virtual_hub_connection[location] + # Resource definition attributes + name = "peering-${uuidv5("url", spoke_resource_id)}" + virtual_hub_id = local.virtual_hub_resource_id[location] + remote_virtual_network_id = spoke_resource_id + # Optional definition attributes + internet_security_enabled = false + routing = local.empty_list + } + ] + ] + ) +} + # Archetype configuration overrides locals { archetype_config_overrides = { @@ -900,6 +1342,7 @@ locals { key != "managed_by_module" && key != "scope" } + scope = resource.scope managed_by_module = local.deploy_resource_groups[resource.scope][resource.location] } ] @@ -978,7 +1421,69 @@ locals { if resource.managed_by_module && key != "resource_id" && key != "managed_by_module" && - key != "azurerm_public_ip" + key != "azurerm_public_ip" && + key != "scope" + } + scope = resource.scope + managed_by_module = resource.managed_by_module + } + ] + azurerm_virtual_wan = [ + for resource in local.azurerm_virtual_wan : + { + resource_id = resource.resource_id + resource_name = resource.name + template = { + for key, value in resource : + key => value + if resource.managed_by_module && + key != "resource_id" && + key != "managed_by_module" + } + managed_by_module = resource.managed_by_module + } + ] + azurerm_virtual_hub = [ + for resource in local.azurerm_virtual_hub : + { + resource_id = resource.resource_id + resource_name = resource.name + template = { + for key, value in resource : + key => value + if resource.managed_by_module && + key != "resource_id" && + key != "managed_by_module" + } + managed_by_module = resource.managed_by_module + } + ] + azurerm_express_route_gateway = [ + for resource in local.azurerm_express_route_gateway : + { + resource_id = resource.resource_id + resource_name = resource.name + template = { + for key, value in resource : + key => value + if resource.managed_by_module && + key != "resource_id" && + key != "managed_by_module" + } + managed_by_module = resource.managed_by_module + } + ] + azurerm_vpn_gateway = [ + for resource in local.azurerm_vpn_gateway : + { + resource_id = resource.resource_id + resource_name = resource.name + template = { + for key, value in resource : + key => value + if resource.managed_by_module && + key != "resource_id" && + key != "managed_by_module" } managed_by_module = resource.managed_by_module } @@ -1052,7 +1557,23 @@ locals { for key, value in resource : key => value if resource.managed_by_module && - key != "resource_id" + key != "resource_id" && + key != "managed_by_module" + } + managed_by_module = resource.managed_by_module + } + ] + azurerm_virtual_hub_connection = [ + for resource in local.azurerm_virtual_hub_connection : + { + resource_id = resource.resource_id + resource_name = resource.name + template = { + for key, value in resource : + key => value + if resource.managed_by_module && + key != "resource_id" && + key != "managed_by_module" } managed_by_module = resource.managed_by_module } @@ -1064,53 +1585,76 @@ locals { locals { debug_output = { - deploy_resource_groups = local.deploy_resource_groups - deploy_hub_network = local.deploy_hub_network - deploy_virtual_network_gateway = local.deploy_virtual_network_gateway - deploy_virtual_network_gateway_expressroute = local.deploy_virtual_network_gateway_expressroute - deploy_virtual_network_gateway_vpn = local.deploy_virtual_network_gateway_vpn - deploy_azure_firewall = local.deploy_azure_firewall - resource_group_names_by_scope_and_location = local.resource_group_names_by_scope_and_location - resource_group_config_by_scope_and_location = local.resource_group_config_by_scope_and_location - azurerm_resource_group = local.azurerm_resource_group - ddos_resource_group_id = local.ddos_resource_group_id - ddos_protection_plan_name = local.ddos_protection_plan_name - ddos_protection_plan_resource_id = local.ddos_protection_plan_resource_id - azurerm_network_ddos_protection_plan = local.azurerm_network_ddos_protection_plan - hub_network_locations = local.hub_network_locations - ddos_location = local.ddos_location - dns_location = local.dns_location - virtual_network_resource_group_id = local.virtual_network_resource_group_id - virtual_network_resource_id_prefix = local.virtual_network_resource_id_prefix - virtual_network_resource_id = local.virtual_network_resource_id - azurerm_virtual_network = local.azurerm_virtual_network - subnets_by_virtual_network = local.subnets_by_virtual_network - azurerm_subnet = local.azurerm_subnet - er_gateway_name = local.er_gateway_name - er_gateway_resource_id_prefix = local.er_gateway_resource_id_prefix - er_gateway_resource_id = local.er_gateway_resource_id - er_gateway_config = local.er_gateway_config - vpn_gateway_name = local.vpn_gateway_name - vpn_gateway_resource_id_prefix = local.vpn_gateway_resource_id_prefix - vpn_gateway_resource_id = local.vpn_gateway_resource_id - vpn_gateway_config = local.vpn_gateway_config - azurerm_virtual_network_gateway = local.azurerm_virtual_network_gateway - azfw_name = local.azfw_name - azfw_resource_id_prefix = local.azfw_resource_id_prefix - azfw_resource_id = local.azfw_resource_id - azurerm_firewall = local.azurerm_firewall - azurerm_public_ip = local.azurerm_public_ip - enable_private_link_by_service = local.enable_private_link_by_service - private_link_locations = local.private_link_locations - lookup_private_link_dns_zone_by_service = local.lookup_private_link_dns_zone_by_service - lookup_private_link_group_id_by_service = local.lookup_private_link_group_id_by_service - services_by_private_link_dns_zone = local.services_by_private_link_dns_zone - private_dns_zone_enabled = local.private_dns_zone_enabled - azurerm_private_dns_zone = local.azurerm_private_dns_zone - azurerm_dns_zone = local.azurerm_dns_zone - hub_virtual_networks_for_dns = local.hub_virtual_networks_for_dns - spoke_virtual_networks_for_dns = local.spoke_virtual_networks_for_dns - virtual_networks_for_dns = local.virtual_networks_for_dns - azurerm_private_dns_zone_virtual_network_link = local.azurerm_private_dns_zone_virtual_network_link + hub_networks = local.hub_networks + hub_networks_by_location = local.hub_networks_by_location + hub_network_locations = local.hub_network_locations + virtual_hubs = local.virtual_hubs + virtual_hubs_by_location = local.virtual_hubs_by_location + virtual_hub_locations = local.virtual_hub_locations + virtual_hubs_by_location_for_resource_group_per_location = local.virtual_hubs_by_location_for_resource_group_per_location + virtual_hubs_by_location_for_shared_resource_group = local.virtual_hubs_by_location_for_shared_resource_group + virtual_hubs_by_location_for_managed_virtual_wan = local.virtual_hubs_by_location_for_managed_virtual_wan + virtual_hubs_by_location_for_existing_virtual_wan = local.virtual_hubs_by_location_for_existing_virtual_wan + virtual_wan_locations = local.virtual_wan_locations + ddos_location = local.ddos_location + dns_location = local.dns_location + connectivity_locations = local.connectivity_locations + result_when_location_missing = local.result_when_location_missing + deploy_resource_groups = local.deploy_resource_groups + deploy_ddos_protection_plan = local.deploy_ddos_protection_plan + deploy_dns = local.deploy_dns + deploy_private_dns_zone_virtual_network_link_on_hubs = local.deploy_private_dns_zone_virtual_network_link_on_hubs + deploy_private_dns_zone_virtual_network_link_on_spokes = local.deploy_private_dns_zone_virtual_network_link_on_spokes + deploy_hub_network = local.deploy_hub_network + deploy_virtual_network_gateway = local.deploy_virtual_network_gateway + deploy_virtual_network_gateway_express_route = local.deploy_virtual_network_gateway_express_route + deploy_virtual_network_gateway_vpn = local.deploy_virtual_network_gateway_vpn + deploy_azure_firewall = local.deploy_azure_firewall + deploy_outbound_virtual_network_peering = local.deploy_outbound_virtual_network_peering + deploy_virtual_wan = local.deploy_virtual_wan + deploy_virtual_hub = local.deploy_virtual_hub + deploy_virtual_hub_express_route_gateway = local.deploy_virtual_hub_express_route_gateway + deploy_virtual_hub_vpn_gateway = local.deploy_virtual_hub_vpn_gateway + deploy_virtual_hub_azure_firewall = local.deploy_virtual_hub_azure_firewall + deploy_virtual_hub_connection = local.deploy_virtual_hub_connection + resource_group_names_by_scope_and_location = local.resource_group_names_by_scope_and_location + resource_group_config_by_scope_and_location = local.resource_group_config_by_scope_and_location + azurerm_resource_group = local.azurerm_resource_group + ddos_resource_group_id = local.ddos_resource_group_id + ddos_protection_plan_name = local.ddos_protection_plan_name + ddos_protection_plan_resource_id = local.ddos_protection_plan_resource_id + azurerm_network_ddos_protection_plan = local.azurerm_network_ddos_protection_plan + virtual_network_resource_group_id = local.virtual_network_resource_group_id + virtual_network_resource_id_prefix = local.virtual_network_resource_id_prefix + virtual_network_resource_id = local.virtual_network_resource_id + azurerm_virtual_network = local.azurerm_virtual_network + subnets_by_virtual_network = local.subnets_by_virtual_network + azurerm_subnet = local.azurerm_subnet + er_gateway_name = local.er_gateway_name + er_gateway_resource_id_prefix = local.er_gateway_resource_id_prefix + er_gateway_resource_id = local.er_gateway_resource_id + er_gateway_config = local.er_gateway_config + vpn_gateway_name = local.vpn_gateway_name + vpn_gateway_resource_id_prefix = local.vpn_gateway_resource_id_prefix + vpn_gateway_resource_id = local.vpn_gateway_resource_id + vpn_gateway_config = local.vpn_gateway_config + azurerm_virtual_network_gateway = local.azurerm_virtual_network_gateway + azfw_name = local.azfw_name + azfw_resource_id_prefix = local.azfw_resource_id_prefix + azfw_resource_id = local.azfw_resource_id + azurerm_firewall = local.azurerm_firewall + azurerm_public_ip = local.azurerm_public_ip + enable_private_link_by_service = local.enable_private_link_by_service + private_link_locations = local.private_link_locations + lookup_private_link_dns_zone_by_service = local.lookup_private_link_dns_zone_by_service + lookup_private_link_group_id_by_service = local.lookup_private_link_group_id_by_service + services_by_private_link_dns_zone = local.services_by_private_link_dns_zone + private_dns_zone_enabled = local.private_dns_zone_enabled + azurerm_private_dns_zone = local.azurerm_private_dns_zone + azurerm_dns_zone = local.azurerm_dns_zone + hub_virtual_networks_for_dns = local.hub_virtual_networks_for_dns + spoke_virtual_networks_for_dns = local.spoke_virtual_networks_for_dns + virtual_networks_for_dns = local.virtual_networks_for_dns + azurerm_private_dns_zone_virtual_network_link = local.azurerm_private_dns_zone_virtual_network_link } } diff --git a/modules/connectivity/variables.tf b/modules/connectivity/variables.tf index 8ee538f0..6cb78f1b 100644 --- a/modules/connectivity/variables.tf +++ b/modules/connectivity/variables.tf @@ -85,7 +85,60 @@ variable "settings" { }) }) ) - vwan_hub_networks = list(object({})) + vwan_hub_networks = list( + object({ + enabled = bool + config = object({ + address_prefix = string + location = string + sku = string + routes = list( + object({ + address_prefixes = list(string) + next_hop_ip_address = string + }) + ) + expressroute_gateway = object({ + enabled = bool + config = object({ + scale_unit = number + }) + }) + vpn_gateway = object({ + enabled = bool + config = object({ + bgp_settings = list( + object({ + asn = number + peer_weight = number + instance_0_bgp_peering_address = list( + object({ + custom_ips = list(string) + }) + ) + instance_1_bgp_peering_address = list( + object({ + custom_ips = list(string) + }) + ) + }) + ) + routing_preference = string + scale_unit = number + }) + }) + azure_firewall = object({ + enabled = bool + config = object({ + enable_dns_proxy = bool + sku_tier = string + }) + }) + spoke_virtual_network_resource_ids = list(string) + enable_virtual_hub_connections = bool + }) + }) + ) ddos_protection_plan = object({ enabled = bool config = object({ @@ -155,7 +208,7 @@ variable "resource_prefix" { default = "" validation { - condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.resource_prefix)) || var.resource_prefix == "" + condition = can(regex("^[a-zA-Z0-9-]{2,10}$", var.resource_prefix)) || var.resource_prefix == null error_message = "Value must be between 2 to 10 characters long, consisting of alphanumeric characters and hyphens." } } @@ -166,7 +219,7 @@ variable "resource_suffix" { default = "" validation { - condition = can(regex("^[a-zA-Z0-9-]{2,36}$", var.resource_suffix)) || var.resource_suffix == "" + condition = can(regex("^[a-zA-Z0-9-]{2,36}$", var.resource_suffix)) || var.resource_suffix == null error_message = "Value must be between 2 to 36 characters long, consisting of alphanumeric characters and hyphens." } @@ -178,13 +231,28 @@ variable "existing_ddos_protection_plan_resource_id" { default = "" } +variable "existing_virtual_wan_resource_id" { + type = string + description = "If specified, module will skip creation of the Virtual WAN and use existing. All Virtual Hubs created by the module will be associated with the specified Virtual WAN." + default = "" +} + +variable "resource_group_per_virtual_hub_location" { + type = bool + description = "If set to true, module will place each Virtual Hub (and associated resources) in a location-specific Resource Group. Default behaviour is to colocate Virtual Hub resources in the same Resource Group as the Virtual WAN resource." + default = false +} + variable "custom_settings_by_resource_type" { type = any description = "If specified, allows full customization of common settings for all resources (by type) deployed by this module." default = {} validation { - condition = can([for k in keys(var.custom_settings_by_resource_type) : contains(["azurerm_resource_group", "azurerm_virtual_network", "azurerm_subnet", "azurerm_virtual_network_gateway", "azurerm_public_ip", "azurerm_firewall", "azurerm_network_ddos_protection_plan", "azurerm_dns_zone", "azurerm_virtual_network_peering"], k)]) || var.custom_settings_by_resource_type == {} + condition = ( + can([for k in keys(var.custom_settings_by_resource_type) : contains(["azurerm_resource_group", "azurerm_virtual_network", "azurerm_subnet", "azurerm_virtual_network_gateway", "azurerm_public_ip", "azurerm_firewall", "azurerm_network_ddos_protection_plan", "azurerm_dns_zone", "azurerm_virtual_network_peering"], k)]) || + var.custom_settings_by_resource_type == null + ) error_message = "Invalid key specified. Please check the list of allowed resource types supported by the connectivity module for caf-enterprise-scale." } } diff --git a/modules/management/locals.tf b/modules/management/locals.tf index 755253de..2b2dd698 100644 --- a/modules/management/locals.tf +++ b/modules/management/locals.tf @@ -168,7 +168,6 @@ locals { workspace_id = try(local.custom_settings_la_linked_service.workspace_id, local.log_analytics_workspace_resource_id) read_access_id = try(local.custom_settings_la_linked_service.read_access_id, local.automation_account_resource_id) # This should be used for linking to an Automation Account resource. write_access_id = null # DO NOT USE. This should be used for linking to a Log Analytics Cluster resource - tags = try(local.custom_settings_la_linked_service.tags, local.tags) resource_group_name = coalesce( try(local.custom_settings_la_linked_service.resource_group_name, null), local.resource_group_name, diff --git a/outputs.tf b/outputs.tf index 61cec189..3b1bba6f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -52,7 +52,8 @@ output "azurerm_role_definition" { # Assignment data is returned to the root module. output "azurerm_role_assignment" { value = { - enterprise_scale = azurerm_role_assignment.enterprise_scale + enterprise_scale = azurerm_role_assignment.enterprise_scale + policy_assignment = azurerm_role_assignment.policy_assignment } description = "Returns the configuration data for all Role Assignments created by this module." } diff --git a/resources.policy_definitions.tf b/resources.policy_definitions.tf index ba8b1b69..a4298540 100644 --- a/resources.policy_definitions.tf +++ b/resources.policy_definitions.tf @@ -8,11 +8,11 @@ resource "azurerm_policy_definition" "enterprise_scale" { display_name = each.value.template.properties.displayName # Optional resource attributes - description = try(each.value.template.properties.description, "${each.value.template.name} Policy Definition at scope ${each.value.scope_id}") - management_group_name = try(basename(each.value.scope_id), null) - policy_rule = try(length(each.value.template.properties.policyRule) > 0, false) ? jsonencode(each.value.template.properties.policyRule) : null - metadata = try(length(each.value.template.properties.metadata) > 0, false) ? jsonencode(each.value.template.properties.metadata) : null - parameters = try(length(each.value.template.properties.parameters) > 0, false) ? jsonencode(each.value.template.properties.parameters) : null + description = try(each.value.template.properties.description, "${each.value.template.name} Policy Definition at scope ${each.value.scope_id}") + management_group_id = try(basename(each.value.scope_id), null) + policy_rule = try(length(each.value.template.properties.policyRule) > 0, false) ? jsonencode(each.value.template.properties.policyRule) : null + metadata = try(length(each.value.template.properties.metadata) > 0, false) ? jsonencode(each.value.template.properties.metadata) : null + parameters = try(length(each.value.template.properties.parameters) > 0, false) ? jsonencode(each.value.template.properties.parameters) : null # Set explicit dependency on Management Group deployments depends_on = [ diff --git a/resources.policy_set_definitions.tf b/resources.policy_set_definitions.tf index 8727515b..3fc90bbc 100644 --- a/resources.policy_set_definitions.tf +++ b/resources.policy_set_definitions.tf @@ -24,10 +24,10 @@ resource "azurerm_policy_set_definition" "enterprise_scale" { } # Optional resource attributes - description = try(each.value.template.properties.description, "${each.value.template.properties.displayName} Policy Set Definition at scope ${each.value.scope_id}") - management_group_name = try(basename(each.value.scope_id), null) - metadata = try(length(each.value.template.properties.metadata) > 0, false) ? jsonencode(each.value.template.properties.metadata) : null - parameters = try(length(each.value.template.properties.parameters) > 0, false) ? jsonencode(each.value.template.properties.parameters) : null + description = try(each.value.template.properties.description, "${each.value.template.properties.displayName} Policy Set Definition at scope ${each.value.scope_id}") + management_group_id = try(basename(each.value.scope_id), null) + metadata = try(length(each.value.template.properties.metadata) > 0, false) ? jsonencode(each.value.template.properties.metadata) : null + parameters = try(length(each.value.template.properties.parameters) > 0, false) ? jsonencode(each.value.template.properties.parameters) : null # Set explicit dependency on Management Group and Policy Definition deployments depends_on = [ diff --git a/resources.virtual_wan.tf b/resources.virtual_wan.tf new file mode 100644 index 00000000..14ba5be3 --- /dev/null +++ b/resources.virtual_wan.tf @@ -0,0 +1,256 @@ +resource "azurerm_resource_group" "virtual_wan" { + for_each = local.azurerm_resource_group_virtual_wan + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + location = each.value.template.location + tags = each.value.template.tags +} + +resource "azurerm_virtual_wan" "virtual_wan" { + for_each = local.azurerm_virtual_wan_virtual_wan + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + resource_group_name = each.value.template.resource_group_name + location = each.value.template.location + + # Optional resource attributes + disable_vpn_encryption = each.value.template.disable_vpn_encryption + allow_branch_to_branch_traffic = each.value.template.allow_branch_to_branch_traffic + office365_local_breakout_category = each.value.template.office365_local_breakout_category + type = each.value.template.type + tags = each.value.template.tags + + # Set explicit dependencies + depends_on = [ + azurerm_resource_group.connectivity, + azurerm_resource_group.virtual_wan, + ] + +} + +resource "azurerm_virtual_hub" "virtual_wan" { + for_each = local.azurerm_virtual_hub_virtual_wan + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + resource_group_name = each.value.template.resource_group_name + location = each.value.template.location + + # Optional resource attributes + sku = each.value.template.sku + address_prefix = each.value.template.address_prefix + virtual_wan_id = each.value.template.virtual_wan_id + tags = each.value.template.tags + + # Dynamic configuration blocks + dynamic "route" { + for_each = each.value.template.route + content { + # Mandatory attributes + address_prefixes = route.value["address_prefixes"] + next_hop_ip_address = route.value["next_hop_ip_address"] + } + } + + # Set explicit dependencies + depends_on = [ + azurerm_resource_group.connectivity, + azurerm_resource_group.virtual_wan, + azurerm_virtual_wan.virtual_wan, + ] + +} + +resource "azurerm_express_route_gateway" "virtual_wan" { + for_each = local.azurerm_express_route_gateway_virtual_wan + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + resource_group_name = each.value.template.resource_group_name + location = each.value.template.location + virtual_hub_id = each.value.template.virtual_hub_id + scale_units = each.value.template.scale_units + + # Optional resource attributes + tags = each.value.template.tags + + # Set explicit dependencies + depends_on = [ + azurerm_resource_group.connectivity, + azurerm_resource_group.virtual_wan, + azurerm_virtual_wan.virtual_wan, + azurerm_virtual_hub.virtual_wan, + ] + +} + +resource "azurerm_vpn_gateway" "virtual_wan" { + for_each = local.azurerm_vpn_gateway_virtual_wan + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + resource_group_name = each.value.template.resource_group_name + location = each.value.template.location + virtual_hub_id = each.value.template.virtual_hub_id + + # Optional resource attributes + routing_preference = each.value.template.routing_preference + scale_unit = each.value.template.scale_unit + tags = each.value.template.tags + + # Dynamic configuration blocks + dynamic "bgp_settings" { + for_each = each.value.template.bgp_settings + content { + # Mandatory attributes + asn = bgp_settings.value["asn"] + peer_weight = bgp_settings.value["peer_weight"] + # Dynamic configuration blocks + dynamic "instance_0_bgp_peering_address" { + for_each = bgp_settings.value["instance_0_bgp_peering_address"] + content { + custom_ips = instance_0_bgp_peering_address.value["custom_ips"] + } + } + dynamic "instance_1_bgp_peering_address" { + for_each = bgp_settings.value["instance_1_bgp_peering_address"] + content { + custom_ips = instance_1_bgp_peering_address.value["custom_ips"] + } + } + } + } + + # Set explicit dependencies + depends_on = [ + azurerm_resource_group.connectivity, + azurerm_resource_group.virtual_wan, + azurerm_virtual_wan.virtual_wan, + azurerm_virtual_hub.virtual_wan, + ] + +} + +resource "azurerm_firewall" "virtual_wan" { + for_each = local.azurerm_firewall_virtual_wan + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + resource_group_name = each.value.template.resource_group_name + location = each.value.template.location + + # Optional resource attributes + sku_name = each.value.template.sku_name + sku_tier = each.value.template.sku_tier + firewall_policy_id = each.value.template.firewall_policy_id + dns_servers = each.value.template.dns_servers + private_ip_ranges = each.value.template.private_ip_ranges + threat_intel_mode = each.value.template.threat_intel_mode + zones = each.value.template.zones + tags = each.value.template.tags + + # Dynamic configuration blocks + dynamic "ip_configuration" { + for_each = each.value.template.ip_configuration + content { + # Mandatory attributes + name = ip_configuration.value["name"] + public_ip_address_id = ip_configuration.value["public_ip_address_id"] + # Optional attributes + subnet_id = try(ip_configuration.value["subnet_id"], null) + } + } + + dynamic "management_ip_configuration" { + for_each = each.value.template.management_ip_configuration + content { + # Mandatory attributes + name = management_ip_configuration.value["name"] + public_ip_address_id = management_ip_configuration.value["public_ip_address_id"] + # Optional attributes + subnet_id = try(management_ip_configuration.value["subnet_id"], null) + } + } + + dynamic "virtual_hub" { + for_each = each.value.template.virtual_hub + content { + # Mandatory attributes + virtual_hub_id = virtual_hub.value["virtual_hub_id"] + # Optional attributes + public_ip_count = try(virtual_hub.value["public_ip_count"], null) + } + } + + # Set explicit dependencies + depends_on = [ + azurerm_resource_group.connectivity, + azurerm_resource_group.virtual_wan, + azurerm_virtual_wan.virtual_wan, + azurerm_virtual_hub.virtual_wan, + ] + +} + +resource "azurerm_virtual_hub_connection" "virtual_wan" { + for_each = local.azurerm_virtual_hub_connection + + provider = azurerm.connectivity + + # Mandatory resource attributes + name = each.value.template.name + virtual_hub_id = each.value.template.virtual_hub_id + remote_virtual_network_id = each.value.template.remote_virtual_network_id + + # Optional resource attributes + internet_security_enabled = each.value.template.internet_security_enabled + + # Dynamic configuration blocks + dynamic "routing" { + for_each = each.value.template.routing + content { + # Optional attributes + associated_route_table_id = lookup(routing.value, "associated_route_table_id", null) + dynamic "propagated_route_table" { + for_each = lookup(routing.value, "propagated_route_table", local.empty_list) + content { + # Optional attributes + labels = lookup(propagated_route_table.value, "labels", null) + route_table_ids = lookup(propagated_route_table.value, "route_table_ids", null) + } + } + dynamic "static_vnet_route" { + for_each = lookup(routing.value, "static_vnet_route", local.empty_list) + content { + # Optional attributes + name = lookup(static_vnet_route.value, "name", null) + address_prefixes = lookup(static_vnet_route.value, "address_prefixes", null) + next_hop_ip_address = lookup(static_vnet_route.value, "next_hop_ip_address", null) + } + } + } + } + + # Set explicit dependencies + depends_on = [ + azurerm_resource_group.connectivity, + azurerm_resource_group.virtual_wan, + azurerm_virtual_wan.virtual_wan, + azurerm_virtual_hub.virtual_wan, + ] + +} diff --git a/terraform.tf b/terraform.tf index 8af25950..df800557 100644 --- a/terraform.tf +++ b/terraform.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 2.77.0" + version = ">= 2.96.0" configuration_aliases = [ azurerm.connectivity, azurerm.management, diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 00000000..cdfd6891 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,117 @@ +# Test Framework for the Terraform Module for Cloud Adoption Framework Enterprise-scale + +This folder contains code relating to the test framework for this module. +Testing is currently performed in the following stages: + +1. Code Review (GitHub Actions) +1. Unit Tests (Azure Pipelines) +1. E2E Tests (Azure Pipelines) + +The decision to break testing up in this manner was to ensure developers get quick feedback when working on bug fixes and new features, whilst providing greater assurance that the latest updates work as expected and do not break existing functionality. + +## Code Review (GitHub Actions) + +The first quality check ensures all code complies with recommended coding practices. +We use [GitHub Super-Linter (v4.1.0)](https://github.com/github/super-linter/tree/v4.1.0) to perform this initial check across the code base. +By running this within a GitHub Action, anyone contributing to the code can get quick feedback on each commit pushed to GitHub. + +GitHub Super-Linter is configured to run checks against the full codebase using the following Linters: + +| *Language* | *Linter* | +| ---------- | -------- | +| **JSON** | [jsonlint](https://github.com/zaach/jsonlint) | +| **Markdown** | [markdownlint](https://github.com/igorshubovych/markdownlint-cli#readme) | +| **PowerShell** | [PSScriptAnalyzer](https://github.com/PowerShell/Psscriptanalyzer) | +| **Shell** | [Shellcheck](https://github.com/koalaman/shellcheck) / [executable bit check] / [shfmt](https://github.com/mvdan/sh) | +| **Terraform** | [tflint](https://github.com/terraform-linters/tflint) / [terrascan](https://github.com/accurics/terrascan) | +| **YAML** | [YamlLint](https://github.com/adrienverge/yamllint) | + +This is also a mandatory check on all PR's being raised against the `main` branch. + +## Unit Tests (Azure Pipelines) + +As linting only let's you know if the code is well written (according to a pre-determined set of standards), we also need to determine whether the code generates a valid Terraform plan. + +To verify this, we have a set of unit tests which run additional checks against the module using a series of test deployments. + +To give assurance that the module works with the specified range of supported versions of Terraform and the Azure provider, we use a [matrix strategy](#multi_job_configuration_matrix_strategy)) to automatically generate parallel running jobs for each version combination. + +The Unit Tests consist of the following tasks: + +| *Task Name* | *Description* | +| --- | --- | +| **Install Terraform Pre-requisites** | Ensures the required version of Terraform is installed on the agent. | +| **Prepare Terraform Environment** | Retrieves credentials for the target test environment and sets a unique value for the `root_id` input variable.1 | +| **Terraform Linting (terraform fmt)** | Runs `terraform fmt` against the entire repository in `-check` mode to ensure Terraform code is correctly formatted. | +| **Install OPA/Conftest Pre-requisites** | Ensure the required version of `Conftest`, `jq`, `yq` and `yamllint` are installed on the agent. | +| **Test 001 (terraform init) Baseline** | Initialize the root module for this test instance. | +| **Test 001 (terraform plan) Baseline** | Generate a Terraform plan for this test instance. | +| **Test 001 (conftest) Baseline** | Run Conftest to ensure the Terraform plan matches the expected configuration for this test instance. | +| **Test 002 (terraform init) Add Custom Core** | Initialize the root module for this test instance. | +| **Test 002 (terraform plan) Add Custom Core** | Generate a Terraform plan for this test instance. | +| **Test 002 (conftest) Add Custom Core** | Run Conftest to ensure the Terraform plan matches the expected configuration for this test instance. | +| **Test 003 (terraform init) Add Management and Connectivity** | Initialize the root module for this test instance. | +| **Test 003 (terraform plan) Add Management and Connectivity** | Generate a Terraform plan for this test instance. | +| **Test 003 (conftest) Add Management and Connectivity** | Run Conftest to ensure the Terraform plan matches the expected configuration for this test instance. | + +1 *Each job uses a dedicated SPN (with certificate based authentication) to connect to Azure.* +*This is to minimize the risk of API rate limiting when running highly parallel resource deployments in the pipeline.* + +## E2E Tests (Azure Pipelines) + +The E2E Tests consist of the following tasks: + +| *Task Name* | *Description* | +| --- | --- | +| **Install Terraform Pre-requisites** | Ensures the required version of Terraform is installed on the agent. | +| **Prepare Terraform Environment** | Retrieves credentials for the target test environment and sets a unique value for the `root_id` input variable.1 | +| **Terraform Linting (terraform fmt)** | Runs `terraform fmt` against the entire repository in `-check` mode to ensure Terraform code is correctly formatted. | +| **Test 001 (terraform init) Baseline** | Initialize the root module for this test instance. | +| **Test 001 (terraform plan) Baseline** | Generate a Terraform plan for this test instance. | +| **Test 001 (terraform apply) Baseline** | Apply the Terraform plan for this test instance. | +| **Test 002 (terraform init) Add Custom Core** | Initialize the root module for this test instance. | +| **Test 002 (terraform plan) Add Custom Core** | Generate a Terraform plan for this test instance. | +| **Test 002 (terraform apply) Add Custom Core** | Apply the Terraform plan for this test instance. | +| **Test 003 (terraform init) Add Management and Connectivity** | Initialize the root module for this test instance. | +| **Test 003 (terraform plan) Add Management and Connectivity** | Generate a Terraform plan for this test instance. | +| **Test 003 (terraform apply) Add Management and Connectivity** | Apply the Terraform plan for this test instance. | +| **Clean-up Test Environment (terraform destroy)** | Run `terraform destroy` to clean-up the test environment.2 | + +> 1 *Each job uses a dedicated SPN (with certificate based authentication) to connect to Azure.* +> *This is to minimize the risk of API rate limiting when running highly parallel resource deployments in the pipeline.* +> +> 2 *The* `terraform destroy` *task uses the* `always()` *condition to ensure the environment is cleaned-up if any of the previous tasks fail after a partial deployment.* + +## Why Azure Pipelines? + +The Unit Tests and E2E Tests need valid Azure credentials to authenticate with the Azure platform for Terraform to work. +These tests are run on Azure Pipelines as a security measure, allowing contributed code from forked repositories to be reviewed before tests are manually triggered by a repository contributor using [comment triggers](https://docs.microsoft.com/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#comment-triggers). +Although GitHub Actions could technically run these jobs, GitHub prevents access to secrets for jobs triggered from forks. + +## Multi-job configuration (`matrix` strategy) + +Azure Pipelines provides the option to define a [multi-job configuration](https://docs.microsoft.com/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml#multi-job-configuration). +This enables multi-configuration testing to be implemented from a common set of tasks, with the benefit of running multiple jobs on multiple agents in parallel. + +Our implementation uses a programmatically generated `matrix` strategy to ensure we can meet our testing requirements. +This is designed to ensure the module works with different combinations of Terraform and Azure provider versions. +The strategy is generated by a [PowerShell script](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/tests/scripts/azp-strategy.ps1), and is used by both the Unit and E2E tests. + +The current strategy consists of running tests against the following version combinations: + +- Terraform versions: + - Minimum version supported by the module (`0.15.0`) + - Latest `0.15.x` version + - Latest `1.0.x` version +- Azure provider for Terraform versions: + - Minimum version supported by the module (`v2.77.0`) + - Latest version + +The latest versions are determined programmatically by querying the publisher APIs. +This negates the need to update the code or pipeline to ensure the latest version is being tested. + +With the frequency at which we run tests these combinations give reasonable assurance that the module will work with all version combinations up to the latest versions, not withstanding any which temporarily introduce bugs. + +The `matrix` strategy also uses the [Microsoft.Subscription/aliases@2021-10-01](https://docs.microsoft.com/rest/api/subscription/2020-09-01/alias) API to map Subscriptions to each job within the Matrix. +This ensures that each job has dedicated Subscriptions to deploy resources into, and place within the Management Group hierarchy. +In combination with the dedicated SPN per job, this also increases the API rate limits available to the pipeline. diff --git a/tests/deployment/main.tf b/tests/deployment/main.tf deleted file mode 100644 index 03adebcc..00000000 --- a/tests/deployment/main.tf +++ /dev/null @@ -1,154 +0,0 @@ -data "azurerm_client_config" "connectivity" { - provider = azurerm.connectivity -} - -data "azurerm_client_config" "management" { - provider = azurerm.management -} - -module "test_root_id_1" { - source = "../../" - - providers = { - azurerm = azurerm.management - azurerm.connectivity = azurerm.connectivity - azurerm.management = azurerm.management - } - - # Base module configuration settings - root_parent_id = data.azurerm_client_config.management.tenant_id - root_id = var.root_id_1 - root_name = "${var.root_name}-1" - default_location = var.location - default_tags = local.default_tags - - # Tuning delay timers to improve pipeline completion success rate - create_duration_delay = var.create_duration_delay - destroy_duration_delay = var.destroy_duration_delay - -} - -module "test_root_id_2" { - source = "../../" - - providers = { - azurerm = azurerm.management - azurerm.connectivity = azurerm.connectivity - azurerm.management = azurerm.management - } - - # Base module configuration settings - root_parent_id = data.azurerm_client_config.management.tenant_id - root_id = var.root_id_2 - root_name = "${var.root_name}-2" - default_location = var.location - default_tags = local.default_tags - - # Configuration settings for optional landing zones - deploy_corp_landing_zones = true - deploy_online_landing_zones = true - deploy_sap_landing_zones = true - deploy_demo_landing_zones = true - - # Tuning delay timers to improve pipeline completion success rate - create_duration_delay = var.create_duration_delay - destroy_duration_delay = var.destroy_duration_delay - -} - -module "test_root_id_3" { - source = "../../" - - providers = { - azurerm = azurerm.management - azurerm.connectivity = azurerm.connectivity - azurerm.management = azurerm.management - } - - # Base module configuration settings - root_parent_id = data.azurerm_client_config.management.tenant_id - root_id = var.root_id_3 - root_name = "${var.root_name}-3" - library_path = "${path.root}/lib" - default_location = var.location - default_tags = local.default_tags - - # Configuration settings for optional landing zones - deploy_corp_landing_zones = true - deploy_online_landing_zones = true - deploy_sap_landing_zones = true - deploy_demo_landing_zones = false - - # Configuration settings for core resources - custom_landing_zones = local.custom_landing_zones - archetype_config_overrides = local.archetype_config_overrides - subscription_id_overrides = local.subscription_id_overrides - - # Configuration settings for management resources - deploy_management_resources = true - configure_management_resources = local.configure_management_resources - subscription_id_management = data.azurerm_client_config.management.subscription_id - - # Configuration settings for connectivity resources - deploy_connectivity_resources = true - configure_connectivity_resources = local.configure_connectivity_resources - subscription_id_connectivity = data.azurerm_client_config.connectivity.subscription_id - - # For testing custom template file variables - template_file_variables = local.custom_template_file_variables - - # Tuning delay timers to improve pipeline completion success rate - create_duration_delay = var.create_duration_delay - destroy_duration_delay = var.destroy_duration_delay - -} - -module "test_root_id_3_lz1" { - source = "../../" - - providers = { - azurerm = azurerm.management - azurerm.connectivity = azurerm.connectivity - azurerm.management = azurerm.management - } - - root_parent_id = "${var.root_id_3}-landing-zones" - root_id = var.root_id_3 - deploy_core_landing_zones = false - library_path = "${path.root}/lib" - default_location = var.location - default_tags = local.default_tags - - custom_landing_zones = { - "${var.root_id_3}-scoped-lz1" = { - display_name = "Scoped LZ1" - parent_management_group_id = "${var.root_id_3}-landing-zones" - subscription_ids = [] - archetype_config = { - archetype_id = "customer_online" - parameters = { - Deny-Resource-Locations = { - listOfAllowedLocations = [ - "northcentralus", - "southcentralus", - ] - } - } - access_control = {} - } - } - } - - # For testing custom template file variables - template_file_variables = local.custom_template_file_variables - - # Tuning delay timers to improve pipeline completion success rate - create_duration_delay = var.create_duration_delay - destroy_duration_delay = var.destroy_duration_delay - - # Set dependency to ensure correct operation - depends_on = [ - module.test_root_id_3, - ] - -} diff --git a/tests/deployment/planned_values.json b/tests/deployment/planned_values.json deleted file mode 100644 index f9a45f47..00000000 --- a/tests/deployment/planned_values.json +++ /dev/null @@ -1,18242 +0,0 @@ -{ - "child_modules": [ - { - "resources": [ - { - "address": "module.test_root_id_1.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_1", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "root-name-1", - "name": "root-id-1", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/dac8feee-8768-4fbd-9cf9-9d96d4718018", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Decommissioned", - "name": "root-id-1-decommissioned", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Landing Zones", - "name": "root-id-1-landing-zones", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Platform", - "name": "root-id-1-platform", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Sandboxes", - "name": "root-id-1-sandboxes", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Connectivity", - "name": "root-id-1-connectivity", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Identity", - "name": "root-id-1-identity", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-management\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Management", - "name": "root-id-1-management", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", - "name": "Enable-DDoS-VNET", - "not_scopes": [], - "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-eastus\"},\"effect\":{\"value\":\"Modify\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies creation of Public IPs under the assigned scope.", - "display_name": "Deny the creation of public IP", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "name": "Deny-Public-IP", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet.", - "display_name": "RDP access from the Internet should be blocked", - "enforce": false, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "name": "Deny-RDP-From-Internet", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", - "display_name": "Subnets should have a Network Security Group", - "enforce": false, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "name": "Deny-Subnet-Without-Nsg", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", - "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "name": "Deploy-VM-Backup", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deployIfNotExists\"},\"exclusionTagName\":{\"value\":\"\"},\"exclusionTagValue\":{\"value\":[]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", - "display_name": "Network interfaces should disable IP forwarding", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deny-IP-Forwarding", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes cluster should not allow privileged containers", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deny-Priv-Containers-AKS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes clusters should not allow container privilege escalation", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deny-Priv-Escalation-AKS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet.", - "display_name": "RDP access from the Internet should be blocked", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deny-RDP-From-Internet", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", - "display_name": "Secure transfer to storage accounts should be enabled", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deny-Storage-http", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", - "display_name": "Subnets should have a Network Security Group", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deny-Subnet-Without-Nsg", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "display_name": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deploy-AKS-Policy", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", - "display_name": "Auditing on SQL server should be enabled", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deploy-SQL-DB-Auditing", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", - "display_name": "Deploy Threat Detection on SQL servers", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deploy-SQL-Threat", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", - "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Deploy-VM-Backup", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Enable-DDoS-VNET", - "not_scopes": [], - "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-eastus\"},\"effect\":{\"value\":\"Modify\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes clusters should be accessible only over HTTPS", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Enforce-AKS-HTTPS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", - "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "name": "Enforce-TLS-SSL", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy-Log-Analytics.", - "display_name": "Deploy-Log-Analytics", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-management", - "name": "Deploy-Log-Analytics", - "not_scopes": [], - "parameters": "{\"automationAccountName\":{\"value\":\"root-id-1-automation\"},\"automationRegion\":{\"value\":\"eastus\"},\"dataRetention\":{\"value\":\"30\"},\"effect\":{\"value\":\"DeployIfNotExists\"},\"rgName\":{\"value\":\"root-id-1-mgmt\"},\"sku\":{\"value\":\"pergb2018\"},\"workspaceName\":{\"value\":\"root-id-1-la\"},\"workspaceRegion\":{\"value\":\"eastus\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Monitoring in Azure Security Center.", - "display_name": "Enable Monitoring in Azure Security Center", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-ASC-Monitoring", - "not_scopes": [], - "parameters": "{\"aadAuthenticationInSqlServerMonitoringEffect\":{\"value\":\"Disabled\"},\"diskEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"encryptionOfAutomationAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateLessThanOwnersMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateMoreThanOneOwnerMonitoringEffect\":{\"value\":\"Disabled\"},\"identityEnableMFAForWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"jitNetworkAccessMonitoringEffect\":{\"value\":\"Disabled\"},\"networkSecurityGroupsOnSubnetsMonitoringEffect\":{\"value\":\"AuditIfNotExists\"},\"sqlDbEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityMonitoringEffect\":{\"value\":\"Disabled\"},\"systemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"useRbacRulesMonitoringEffect\":{\"value\":\"Disabled\"},\"vmssSystemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"windowsDefenderExploitGuardMonitoringEffect\":{\"value\":\"Disabled\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", - "display_name": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-AzActivity-Log", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy-Linux-Arc-Monitoring.", - "display_name": "Deploy-Linux-Arc-Monitoring", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-LX-Arc-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Microsoft Defender for Cloud and Security Contacts", - "display_name": "Deploy Microsoft Defender for Cloud configuration", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-MDFC-Config", - "not_scopes": [], - "parameters": "{\"ascExportResourceGroupLocation\":{\"value\":\"eastus\"},\"ascExportResourceGroupName\":{\"value\":\"root-id-1-asc-export\"},\"emailSecurityContact\":{\"value\":\"security_contact@replace_me\"},\"enableAscForAppServices\":{\"value\":\"DeployIfNotExists\"},\"enableAscForArm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForContainers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForDns\":{\"value\":\"DeployIfNotExists\"},\"enableAscForKeyVault\":{\"value\":\"DeployIfNotExists\"},\"enableAscForOssDb\":{\"value\":\"DeployIfNotExists\"},\"enableAscForServers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSql\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSqlOnVm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForStorage\":{\"value\":\"DeployIfNotExists\"},\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", - "display_name": "Deploy-Resource-Diag", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-Resource-Diag", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", - "display_name": "Enable Azure Monitor for VMs", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-VM-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", - "display_name": "Enable Azure Monitor for Virtual Machine Scale Sets", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-VMSS-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", - "display_name": "Deploy-Windows-Arc-Monitoring", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", - "name": "Deploy-WS-Arc-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", - "display_name": "AppService append enable https only setting to enforce https setting.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Append-AppService-httpsonly", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"notequals\":true}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"value\":true}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", - "display_name": "AppService append sites with minimum TLS version to enforce.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Append-AppService-latestTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"Select version minimum TLS Web App config\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites/config\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"notEquals\":\"[parameters('minTlsVersion')]\"}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"value\":\"[parameters('minTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", - "display_name": "KeyVault SoftDelete should be enabled", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Key Vault\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-KV-SoftDelete", - "parameters": null, - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.KeyVault/vaults\",\"field\":\"type\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"notEquals\":true}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"value\":true}],\"effect\":\"append\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-Redis-disableNonSslPort", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\",\"Modify\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"value\":false}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-Redis-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Cache for Redis to enforce\",\"displayName\":\"Select version for Redis server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"value\":\"[parameters('minimumTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", - "display_name": "Control private endpoint connections to Azure Machine Learning", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Audit-MachineLearning-PrivateEndpointId", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\",\"field\":\"type\"},{\"equals\":\"Approved\",\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\"},{\"notEquals\":\"[subscription().subscriptionId]\",\"value\":\"[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of child resources on the Automation Account", - "display_name": "No child resources in Automation Account", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Automation\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AA-child-resources", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Automation/automationAccounts/runbooks\",\"Microsoft.Automation/automationAccounts/variables\",\"Microsoft.Automation/automationAccounts/modules\",\"Microsoft.Automation/automationAccounts/credentials\",\"Microsoft.Automation/automationAccounts/connections\",\"Microsoft.Automation/automationAccounts/certificates\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", - "display_name": "Application Gateway should be deployed with WAF enabled", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppGW-Without-WAF", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/applicationGateways/sku.name\",\"notequals\":\"WAF_v2\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "API App should only be accessible over HTTPS", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceApiApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "Function App should only be accessible over HTTPS", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceFunctionApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "Web Application should only be accessible over HTTPS", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceWebApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", - "display_name": "Deny public IPs for Databricks cluster", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-NoPublicIp", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\"notEquals\":true}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "display_name": "Deny non-premium Databricks sku", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-Sku", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/sku.name\",\"notEquals\":\"premium\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces the use of vnet injection for Databricks workspaces.", - "display_name": "Deny Databricks workspaces without Vnet injection", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-VirtualNetwork", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", - "display_name": "Deny AKS cluster creation in Azure Machine Learning", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Aks", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AKS\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/resourceId\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", - "display_name": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Compute-SubnetId", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", - "display_name": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Compute-VmSize", - "parameters": "{\"allowedVmSizes\":{\"defaultValue\":[\"Standard_D1_v2\",\"Standard_D2_v2\",\"Standard_D3_v2\",\"Standard_D4_v2\",\"Standard_D11_v2\",\"Standard_D12_v2\",\"Standard_D13_v2\",\"Standard_D14_v2\",\"Standard_DS1_v2\",\"Standard_DS2_v2\",\"Standard_DS3_v2\",\"Standard_DS4_v2\",\"Standard_DS5_v2\",\"Standard_DS11_v2\",\"Standard_DS12_v2\",\"Standard_DS13_v2\",\"Standard_DS14_v2\",\"Standard_M8-2ms\",\"Standard_M8-4ms\",\"Standard_M8ms\",\"Standard_M16-4ms\",\"Standard_M16-8ms\",\"Standard_M16ms\",\"Standard_M32-8ms\",\"Standard_M32-16ms\",\"Standard_M32ls\",\"Standard_M32ms\",\"Standard_M32ts\",\"Standard_M64-16ms\",\"Standard_M64-32ms\",\"Standard_M64ls\",\"Standard_M64ms\",\"Standard_M64s\",\"Standard_M128-32ms\",\"Standard_M128-64ms\",\"Standard_M128ms\",\"Standard_M128s\",\"Standard_M64\",\"Standard_M64m\",\"Standard_M128\",\"Standard_M128m\",\"Standard_D1\",\"Standard_D2\",\"Standard_D3\",\"Standard_D4\",\"Standard_D11\",\"Standard_D12\",\"Standard_D13\",\"Standard_D14\",\"Standard_DS15_v2\",\"Standard_NV6\",\"Standard_NV12\",\"Standard_NV24\",\"Standard_F2s_v2\",\"Standard_F4s_v2\",\"Standard_F8s_v2\",\"Standard_F16s_v2\",\"Standard_F32s_v2\",\"Standard_F64s_v2\",\"Standard_F72s_v2\",\"Standard_NC6s_v3\",\"Standard_NC12s_v3\",\"Standard_NC24rs_v3\",\"Standard_NC24s_v3\",\"Standard_NC6\",\"Standard_NC12\",\"Standard_NC24\",\"Standard_NC24r\",\"Standard_ND6s\",\"Standard_ND12s\",\"Standard_ND24rs\",\"Standard_ND24s\",\"Standard_NC6s_v2\",\"Standard_NC12s_v2\",\"Standard_NC24rs_v2\",\"Standard_NC24s_v2\",\"Standard_ND40rs_v2\",\"Standard_NV12s_v3\",\"Standard_NV24s_v3\",\"Standard_NV48s_v3\"],\"metadata\":{\"description\":\"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\",\"displayName\":\"Allowed VM Sizes for Aml Compute Clusters and Instances\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\"notIn\":\"[parameters('allowedVmSizes')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny public access of Azure Machine Learning clusters via SSH.", - "display_name": "Deny public access of Azure Machine Learning clusters via SSH", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\"notEquals\":\"Disabled\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce scale settings for Azure Machine Learning compute clusters.", - "display_name": "Enforce scale settings for Azure Machine Learning compute clusters", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-ComputeCluster-Scale", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"maxNodeCount\":{\"defaultValue\":10,\"metadata\":{\"description\":\"Specifies the maximum node count of AML Clusters\",\"displayName\":\"Maximum Node Count\"},\"type\":\"Integer\"},\"maxNodeIdleTimeInSecondsBeforeScaleDown\":{\"defaultValue\":900,\"metadata\":{\"description\":\"Specifies the maximum node idle time in seconds before scaledown\",\"displayName\":\"Maximum Node Idle Time in Seconds Before Scaledown\"},\"type\":\"Integer\"},\"minNodeCount\":{\"defaultValue\":0,\"metadata\":{\"description\":\"Specifies the minimum node count of AML Clusters\",\"displayName\":\"Minimum Node Count\"},\"type\":\"Integer\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\"greater\":\"[parameters('maxNodeCount')]\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\"greater\":\"[parameters('minNodeCount')]\"},{\"greater\":\"[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\",\"value\":\"[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces high business impact Azure Machine Learning workspaces.", - "display_name": "Enforces high business impact Azure Machine Learning Workspaces", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-HbiWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\"notEquals\":true}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", - "display_name": "Deny public acces behind vnet to Azure Machine Learning workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\"notEquals\":false}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Denies public network access for Azure Machine Learning workspaces.", - "display_name": "Azure Machine Learning should have disabled public network access", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-PublicNetworkAccess", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\"notEquals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "MySQL database servers enforce SSL connections.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MySql-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "PostgreSQL database servers enforce SSL connection.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.1\"}", - "mode": "Indexed", - "name": "Deny-PostgreSql-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", - "display_name": "Deny the creation of private DNS", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Private-DNS-Zones", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/privateDnsZones\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", - "display_name": "Public network access should be disabled for MariaDB", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-PublicEndpoint-MariaDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\"notequals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies creation of Public IPs under the assigned scope.", - "display_name": "Deny the creation of public IP", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-PublicIP", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/publicIPAddresses\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet", - "display_name": "RDP access from the Internet should be blocked", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deny-RDP-From-Internet", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\",\"field\":\"type\"},{\"allOf\":[{\"equals\":\"Allow\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\"},{\"equals\":\"Inbound\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\"},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"3389\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"true\",\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"equals\":\"true\",\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"equals\":\"Internet\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "display_name": "Azure Cache for Redis only secure connections should be enabled", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Redis-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select minimum TLS version for Azure Cache for Redis.\",\"displayName\":\"Select minumum TLS version for Azure Cache for Redis.\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"},{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", - "display_name": "Azure SQL Database should have the minimal TLS version set to the highest version", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Sql-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", - "display_name": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-SqlMi-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "display_name": "Storage Account set to minumum TLS and Secure transfer should be enabled", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Storage-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"allOf\":[{\"less\":\"2019-04-01\",\"value\":\"[requestContext().apiVersion]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", - "display_name": "Subnets should have a Network Security Group", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", - "mode": "All", - "name": "Deny-Subnet-Without-Nsg", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"GatewaySubnet\",\"AzureFirewallSubnet\",\"AzureFirewallManagementSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", - "display_name": "Subnets should have a User Defined Route", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", - "mode": "All", - "name": "Deny-Subnet-Without-Udr", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"AzureBastionSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/routeTable.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", - "display_name": "Deny vNet peering cross subscription.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", - "mode": "All", - "name": "Deny-VNET-Peer-Cross-Sub", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\"notcontains\":\"[subscription().id]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of vNet Peerings under the assigned scope.", - "display_name": "Deny vNet peering ", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", - "mode": "All", - "name": "Deny-VNet-Peering", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Azure Security Center Security Contacts", - "display_name": "Deploy Azure Security Center Security Contacts", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Security Center\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-ASC-SecurityContacts", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Azure Security Center contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"emailSecurityContact\":{\"metadata\":{\"description\":\"Security contacts email address\"},\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2020-01-01-preview\",\"name\":\"default\",\"properties\":{\"alertNotifications\":{\"minimalSeverity\":\"High\",\"state\":\"On\"},\"emails\":\"[parameters('emailSecurityContact')]\",\"notificationsByRole\":{\"roles\":[\"Owner\"],\"state\":\"On\"}},\"type\":\"Microsoft.Security/securityContacts\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"contains\":\"[parameters('emailSecurityContact')]\",\"field\":\"Microsoft.Security/securityContacts/email\"},{\"equals\":\"Microsoft.Security/securityContacts\",\"field\":\"type\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertNotifications\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"type\":\"Microsoft.Security/securityContacts\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a default budget on all subscriptions under the assigned scope", - "display_name": "Deploy a default budget on all subscriptions under the assigned scope", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.1.0\"}", - "mode": "All", - "name": "Deploy-Budget", - "parameters": "{\"amount\":{\"defaultValue\":\"1000\",\"metadata\":{\"description\":\"The total amount of cost or usage to track with the budget\"},\"type\":\"String\"},\"budgetName\":{\"defaultValue\":\"budget-set-by-policy\",\"metadata\":{\"description\":\"The name for the budget to be created\"},\"type\":\"String\"},\"contactEmails\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"contactGroups\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"},\"type\":\"Array\"},\"contactRoles\":{\"defaultValue\":[\"Owner\",\"Contributor\"],\"metadata\":{\"description\":\"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\"},\"type\":\"String\"},\"firstThreshold\":{\"defaultValue\":\"90\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"secondThreshold\":{\"defaultValue\":\"100\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"timeGrain\":{\"allowedValues\":[\"Monthly\",\"Quarterly\",\"Annually\",\"BillingMonth\",\"BillingQuarter\",\"BillingAnnual\"],\"defaultValue\":\"Monthly\",\"metadata\":{\"description\":\"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"amount\":{\"value\":\"[parameters('amount')]\"},\"budgetName\":{\"value\":\"[parameters('budgetName')]\"},\"contactEmails\":{\"value\":\"[parameters('contactEmails')]\"},\"contactGroups\":{\"value\":\"[parameters('contactGroups')]\"},\"contactRoles\":{\"value\":\"[parameters('contactRoles')]\"},\"firstThreshold\":{\"value\":\"[parameters('firstThreshold')]\"},\"secondThreshold\":{\"value\":\"[parameters('secondThreshold')]\"},\"timeGrain\":{\"value\":\"[parameters('timeGrain')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"amount\":{\"type\":\"String\"},\"budgetName\":{\"type\":\"String\"},\"contactEmails\":{\"type\":\"Array\"},\"contactGroups\":{\"type\":\"Array\"},\"contactRoles\":{\"type\":\"Array\"},\"firstThreshold\":{\"type\":\"String\"},\"secondThreshold\":{\"type\":\"String\"},\"startDate\":{\"defaultValue\":\"[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\",\"type\":\"String\"},\"timeGrain\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[parameters('budgetName')]\",\"properties\":{\"amount\":\"[parameters('amount')]\",\"category\":\"Cost\",\"notifications\":{\"NotificationForExceededBudget1\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('firstThreshold')]\"},\"NotificationForExceededBudget2\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('secondThreshold')]\"}},\"timeGrain\":\"[parameters('timeGrain')]\",\"timePeriod\":{\"startDate\":\"[parameters('startDate')]\"}},\"type\":\"Microsoft.Consumption/budgets\"}]}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('amount')]\",\"field\":\"Microsoft.Consumption/budgets/amount\"},{\"equals\":\"[parameters('timeGrain')]\",\"field\":\"Microsoft.Consumption/budgets/timeGrain\"},{\"equals\":\"Cost\",\"field\":\"Microsoft.Consumption/budgets/category\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Consumption/budgets\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", - "display_name": "Deploy a route table with specific user defined routes", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Custom-Route-Table", - "parameters": "{\"disableBgpPropagation\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Disable BGP Propagation\",\"displayName\":\"DisableBgpPropagation\"},\"type\":\"Boolean\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"requiredRoutes\":{\"metadata\":{\"description\":\"Routes that must exist in compliant route tables deployed by this policy\",\"displayName\":\"requiredRoutes\"},\"type\":\"Array\"},\"routeTableName\":{\"metadata\":{\"description\":\"Name of the route table automatically deployed by this policy\",\"displayName\":\"routeTableName\"},\"type\":\"String\"},\"vnetRegion\":{\"metadata\":{\"description\":\"Only VNets in this region will be evaluated against this policy\",\"displayName\":\"vnetRegion\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"equals\":\"[parameters('vnetRegion')]\",\"field\":\"location\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"name\":\"routeTableDepl\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"location\":\"[[parameters('vnetRegion')]\",\"name\":\"[[parameters('routeTableName')]\",\"properties\":{\"copy\":\"[variables('copyLoop')]\",\"disableBgpRoutePropagation\":\"[[parameters('disableBgpPropagation')]\"},\"type\":\"Microsoft.Network/routeTables\"}]}},\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"copyLoop\":[{\"count\":\"[[length(parameters('requiredRoutes'))]\",\"input\":{\"name\":\"[[concat('route-',copyIndex('routes'))]\",\"properties\":{\"addressPrefix\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\"nextHopIpAddress\":\"[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\",\"nextHopType\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\"}},\"name\":\"routes\"}]}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('routeTableName')]\",\"field\":\"name\"},{\"count\":{\"field\":\"Microsoft.Network/routeTables/routes[*]\",\"where\":{\"in\":\"[parameters('requiredRoutes')]\",\"value\":\"[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\"}},\"equals\":\"[length(parameters('requiredRoutes'))]\"}]},\"roleDefinitionIds\":[\"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/routeTables\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys an Azure DDoS Protection Standard plan", - "display_name": "Deploy an Azure DDoS Protection Standard plan", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-DDoSProtection", - "parameters": "{\"ddosName\":{\"metadata\":{\"description\":\"DDoSVnet\",\"displayName\":\"ddosName\"},\"type\":\"String\"},\"ddosRegion\":{\"metadata\":{\"description\":\"DDoSVnet location\",\"displayName\":\"ddosRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"ddosname\":{\"value\":\"[parameters('ddosname')]\"},\"ddosregion\":{\"value\":\"[parameters('ddosRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"ddosRegion\":{\"type\":\"String\"},\"ddosname\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"ddosprotection\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-12-01\",\"location\":\"[parameters('ddosRegion')]\",\"name\":\"[parameters('ddosName')]\",\"properties\":{},\"type\":\"Microsoft.Network/ddosProtectionPlans\"}]}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('ddosName')]\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/ddosProtectionPlans\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-AA", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Automation/automationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"JobLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobStreams\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DscNodeStatus\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", - "display_name": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ACI", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerInstance/containerGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", - "display_name": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ACR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerRegistry/registries\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ContainerRegistryLoginEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ContainerRegistryRepositoryEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-APIMgmt", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ApiManagement/service\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ApiManagement/service/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-AnalysisService", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.AnalysisServices/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Service\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ApiForFHIR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HealthcareApis/services\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HealthcareApis/services/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ApplicationGateway", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ApplicationGatewayAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayPerformanceLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/applicationGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CDNEndpoints", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cdn/profiles/endpoints\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"CoreAnalytics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CognitiveServices", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.CognitiveServices/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RequestResponse\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Trace\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CosmosDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DocumentDB/databaseAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DataPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MongoRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyRUConsumption\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ControlPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CassandraRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"GremlinRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Requests\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DLAnalytics", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataLakeAnalytics/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DataExplorerCluster", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Kusto/Clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"SucceededIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FailedIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IngestionBatching\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Command\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Query\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableUsageStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableDetails\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Kusto/Clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DataFactory", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataFactory/factories\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ActivityRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PipelineRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TriggerRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessages\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutableStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessageContext\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionComponentPhases\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionDataStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISIntegrationRuntimeLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataFactory/factories/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Databricks", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"dbfs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"clusters\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"accounts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"jobs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"notebook\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ssh\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"workspace\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"secrets\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"sqlPermissions\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"instancePools\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Databricks/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridSub", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/eventSubscriptions\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridSystemTopic", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/systemTopics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridTopic", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/topics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PublishFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/topics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ExpressRoute", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/expressRouteCircuits\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PeeringRouteLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Firewall", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/azureFirewalls\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AzureFirewallApplicationRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallNetworkRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallDnsProxy\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-FrontDoor", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/frontDoors\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FrontdoorAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/frontDoors/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Function", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"contains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FunctionAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-HDInsight", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HDInsight/clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HDInsight/clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-LoadBalancer", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/loadBalancers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"LoadBalancerAlertEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"LoadBalancerProbeHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/loadBalancers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-LogicAppsISE", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Logic/integrationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"IntegrationAccountTrackingEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MariaDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MediaService", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Media/mediaServices\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"KeyDeliveryRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Media/mediaServices/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MlWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AmlComputeClusterEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeClusterNodeEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeJobEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeCpuGpuUtilization\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlRunStatusChangedEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Run\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Model\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":true}},{\"category\":\"Quota\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Resource\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MySQL", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-NIC", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkInterfaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-NetworkSecurityGroups", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-PostgreSQL", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PostgreSQLLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-PowerBIEmbedded", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.PowerBIDedicated/capacities\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-RedisCache", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cache/redis/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Relay", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Relay/namespaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"HybridConnectionsEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Relay/namespaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SQLElasticPools", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/elasticPools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SQLMI", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ResourceUsageStats\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DevOpsOperationsAudit\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/managedInstances/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SignalR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.SignalRService/SignalR\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AllLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-TimeSeriesInsights", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.TimeSeriesInsights/environments\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Ingress\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-TrafficManager", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/trafficManagerProfiles\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ProbeHealthStatusEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VM", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VMSS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", - "display_name": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VNetGW", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworkGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IKEDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"P2SDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TunnelDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VirtualNetwork", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"VMProtectionAlerts\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDAppGroup", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/applicationGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDHostPools", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/hostpools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Connection\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"HostRegistration\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AgentHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Feed\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WebServerFarm", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Web/serverfarms\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/serverfarms/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Website", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"notContains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AppServiceAntivirusScanAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceConsoleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceFileAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceIPSecAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServicePlatformLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-iotHub", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Devices/IotHubs\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Connections\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceTelemetry\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DCommands\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceIdentityOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FileUploadOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Routes\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"D2CTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TwinQueries\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobsOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DirectMethods\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DistributedTracing\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Configurations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceStreams\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Devices/IotHubs/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", - "display_name": "Deploy Azure Firewall Manager policy in the subscription", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-FirewallPolicy", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"fwPolicyRegion\":{\"metadata\":{\"description\":\"Select Azure region for Azure Firewall Policy\",\"displayName\":\"fwPolicyRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"fwpolicy\":{\"defaultValue\":{},\"metadata\":{\"description\":\"Object describing Azure Firewall Policy\",\"displayName\":\"fwpolicy\"},\"type\":\"Object\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"fwPolicy\":{\"value\":\"[parameters('fwPolicy')]\"},\"fwPolicyRegion\":{\"value\":\"[parameters('fwPolicyRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"fwPolicy\":{\"type\":\"object\"},\"fwPolicyRegion\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"fwpolicies\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[],\"location\":\"[parameters('fwpolicy').location]\",\"name\":\"[parameters('fwpolicy').firewallPolicyName]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[\"[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"],\"name\":\"[parameters('fwpolicy').ruleGroups.name]\",\"properties\":{\"priority\":\"[parameters('fwpolicy').ruleGroups.properties.priority]\",\"rules\":\"[parameters('fwpolicy').ruleGroups.properties.rules]\"},\"type\":\"ruleGroups\"}],\"tags\":{},\"type\":\"Microsoft.Network/firewallPolicies\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/firewallPolicies\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-MySQL-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\",\"displayName\":\"Effect minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforMySQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforMySQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", - "display_name": "Deploys NSG flow logs and traffic analytics", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Nsg-FlowLogs", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"flowAnalyticsEnabled\":{\"defaultValue\":false,\"metadata\":{\"displayName\":\"Enable Traffic Analytics\"},\"type\":\"Boolean\"},\"logAnalytics\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"storageAccountResourceId\":{\"metadata\":{\"displayName\":\"Storage Account Resource Id\",\"strongType\":\"Microsoft.Storage/storageAccounts\"},\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"flowAnalyticsEnabled\":{\"value\":\"[parameters('flowAnalyticsEnabled')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"networkSecurityGroupName\":{\"value\":\"[field('name')]\"},\"resourceGroupName\":{\"value\":\"[resourceGroup().name]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"storageAccountResourceId\":{\"value\":\"[parameters('storageAccountResourceId')]\"},\"trafficAnalyticsInterval\":{\"value\":\"[parameters('trafficAnalyticsInterval')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"flowAnalyticsEnabled\":{\"type\":\"bool\"},\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"networkSecurityGroupName\":{\"type\":\"String\"},\"resourceGroupName\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"storageAccountResourceId\":{\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"type\":\"int\"}},\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":\"[bool(parameters('flowAnalyticsEnabled'))]\",\"trafficAnalyticsInterval\":\"[parameters('trafficAnalyticsInterval')]\",\"workspaceId\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\"workspaceRegion\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\"workspaceResourceId\":\"[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[parameters('storageAccountResourceId')]\",\"targetResourceId\":\"[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\"},\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"},{\"equals\":\"[parameters('flowAnalyticsEnabled')]\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\"}]},\"resourceGroupName\":\"NetworkWatcherRG\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", - "display_name": "Deploys NSG flow logs and traffic analytics to Log Analytics", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.1.0\"}", - "mode": "Indexed", - "name": "Deploy-Nsg-FlowLogs-to-LA", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"interval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"workspace\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"interval\":{\"value\":\"[parameters('interval')]\"},\"location\":{\"value\":\"[field('location')]\"},\"networkSecurityGroup\":{\"value\":\"[field('id')]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"workspace\":{\"value\":\"[parameters('workspace')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"interval\":{\"type\":\"int\"},\"location\":{\"type\":\"String\"},\"networkSecurityGroup\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"time\":{\"defaultValue\":\"[utcNow()]\",\"type\":\"String\"},\"workspace\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2019-06-01\",\"kind\":\"StorageV2\",\"location\":\"[parameters('location')]\",\"name\":\"[variables('storageAccountName')]\",\"properties\":{},\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"type\":\"Microsoft.Storage/storageAccounts\"}]}},\"resourceGroup\":\"[variables('resourceGroupName')]\",\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2019-10-01\",\"dependsOn\":[\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"],\"name\":\"[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat('NetworkWatcher_', toLower(parameters('location')))]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-11-01\",\"dependsOn\":[\"[concat('NetworkWatcher_', toLower(parameters('location')))]\"],\"location\":\"[parameters('location')]\",\"name\":\"[concat(variables('securityGroupName'), '-Network-flowlog')]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":true,\"trafficAnalyticsInterval\":\"[parameters('interval')]\",\"workspaceResourceId\":\"[parameters('workspace')]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\"targetResourceId\":\"[parameters('networkSecurityGroup')]\"},\"type\":\"flowLogs\"}],\"type\":\"Microsoft.Network/networkWatchers\"}]}},\"resourceGroup\":\"NetworkWatcherRG\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"resourceGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[4]]\",\"securityGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[8]]\",\"storageAccountName\":\"[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\"resourceGroupName\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/networkWatchers/flowlogs\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-PostgreSQL-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\",\"displayName\":\"Effect Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notEquals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "SQL servers deploys a specific min TLS version requirement.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-SQL-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", - "display_name": "Deploy SQL database auditing settings", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-AuditingSettings", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"auditActionsAndGroups\":[\"BATCH_COMPLETED_GROUP\",\"DATABASE_OBJECT_CHANGE_GROUP\",\"SCHEMA_OBJECT_CHANGE_GROUP\",\"BACKUP_RESTORE_GROUP\",\"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\"DATABASE_PRINCIPAL_CHANGE_GROUP\",\"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"USER_CHANGE_PASSWORD_GROUP\",\"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\"DATABASE_PERMISSION_CHANGE_GROUP\",\"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\"FAILED_DATABASE_AUTHENTICATION_GROUP\"],\"isAzureMonitorTargetEnabled\":true,\"state\":\"enabled\"},\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"enabled\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/state\"},{\"equals\":\"true\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\"}]},\"name\":\"default\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", - "display_name": "Deploy SQL Database security Alert Policies configuration with email admin accounts", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-SecurityAlertPolicies", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-06-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"disabledAlerts\":[\"\"],\"emailAccountAdmins\":true,\"emailAddresses\":[\"admin@contoso.com\"],\"retentionDays\":0,\"state\":\"Enabled\",\"storageAccountAccessKey\":\"\",\"storageEndpoint\":null},\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/servers/databases/securityAlertPolicies/state\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", - "display_name": "Deploy SQL Database Transparent Data Encryption ", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-Tde", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2014-04-01\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\"properties\":{\"status\":\"Enabled\"},\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/transparentDataEncryption.status\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", - "display_name": "Deploy SQL Database vulnerability Assessments", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-vulnerabilityAssessments", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"recurringScans\":{\"emailSubscriptionAdmins\":false,\"emails\":[\"[parameters('vulnerabilityAssessmentsEmail')]\"],\"isEnabled\":true},\"storageAccountAccessKey\":\"[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\"storageContainerPath\":\"[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\"},\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('vulnerabilityAssessmentsEmail')]\",\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\"},{\"equals\":true,\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\"],\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "SQL managed instances deploy a specific min TLS version requirement.", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-SqlMi-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2020-02-02-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/managedInstances\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/managedInstances\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Storage-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure STorage\",\"displayName\":\"Effect Azure STorage\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure STorage to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notEquals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('minimumTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimumTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimumTlsVersion\":\"[parameters('minimumTlsVersion')]\",\"supportsHttpsTrafficOnly\":true},\"type\":\"Microsoft.Storage/storageAccounts\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"equals\":\"[parameters('minimumTlsVersion')]\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy deploys virtual network and peer to the hub", - "display_name": "Deploy Virtual Network with peering to the hub", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.1.0\"}", - "mode": "All", - "name": "Deploy-VNET-HubSpoke", - "parameters": "{\"dnsServers\":{\"defaultValue\":[],\"metadata\":{\"description\":\"Default domain servers for the vNET.\",\"displayName\":\"DNSServers\"},\"type\":\"Array\"},\"hubResourceId\":{\"metadata\":{\"description\":\"Resource ID for the HUB vNet\",\"displayName\":\"hubResourceId\"},\"type\":\"String\"},\"vNetCidrRange\":{\"metadata\":{\"description\":\"CIDR Range for the vNet\",\"displayName\":\"vNetCidrRange\"},\"type\":\"String\"},\"vNetLocation\":{\"metadata\":{\"description\":\"Location for the vNet\",\"displayName\":\"vNetLocation\"},\"type\":\"String\"},\"vNetName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet\",\"displayName\":\"vNetName\"},\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Enable gateway transit for the LZ network\",\"displayName\":\"vNetPeerUseRemoteGateway\"},\"type\":\"Boolean\"},\"vNetRgName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet RG\",\"displayName\":\"vNetRgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"ResourceGroupName\":\"[parameters('vNetRgName')]\",\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"dnsServers\":{\"value\":\"[parameters('dnsServers')]\"},\"hubResourceId\":{\"value\":\"[parameters('hubResourceId')]\"},\"vNetCidrRange\":{\"value\":\"[parameters('vNetCidrRange')]\"},\"vNetLocation\":{\"value\":\"[parameters('vNetLocation')]\"},\"vNetName\":{\"value\":\"[parameters('vNetName')]\"},\"vNetPeerUseRemoteGateway\":{\"value\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"vNetRgName\":{\"value\":\"[parameters('vNetRgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"dnsServers\":{\"defaultValue\":[],\"type\":\"Array\"},\"hubResourceId\":{\"type\":\"String\"},\"vNetCidrRange\":{\"type\":\"String\"},\"vNetLocation\":{\"type\":\"String\"},\"vNetName\":{\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"type\":\"bool\"},\"vNetRgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetRgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"}],\"variables\":{}}},\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\"],\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetName')]\",\"properties\":{\"addressSpace\":{\"addressPrefixes\":[\"[parameters('vNetCidrRange')]\"]},\"dhcpOptions\":{\"dnsServers\":\"[parameters('dnsServers')]\"}},\"type\":\"Microsoft.Network/virtualNetworks\"},{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat(parameters('vNetName'), '/peerToHub')]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":false,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[parameters('hubResourceId')]\"},\"useRemoteGateways\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]\",\"properties\":{\"expressionEvaluationOptions\":{\"scope\":\"inner\"},\"mode\":\"Incremental\",\"parameters\":{\"hubName\":{\"value\":\"[split(parameters('hubResourceId'),'/')[8]]\"},\"remoteVirtualNetwork\":{\"value\":\"[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"hubName\":{\"defaultValue\":false,\"type\":\"String\"},\"remoteVirtualNetwork\":{\"defaultValue\":false,\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"name\":\"[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":true,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[[parameters('remoteVirtualNetwork')]\"},\"useRemoteGateways\":false},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"}],\"variables\":{}}},\"resourceGroup\":\"[split(parameters('hubResourceId'),'/')[4]]\",\"subscriptionId\":\"[split(parameters('hubResourceId'),'/')[2]]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('vNetRgName')]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"name\",\"like\":\"[parameters('vNetName')]\"},{\"equals\":\"[parameters('vNetLocation')]\",\"field\":\"location\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('vNetName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/virtualNetworks\"},\"effect\":\"deployIfNotExists\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", - "display_name": "Deploy Windows Domain Join Extension with keyvault configuration", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Guest Configuration\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Windows-DomainJoin", - "parameters": "{\"domainFQDN\":{\"metadata\":{\"displayName\":\"domainFQDN\"},\"type\":\"String\"},\"domainOUPath\":{\"metadata\":{\"displayName\":\"domainOUPath\"},\"type\":\"String\"},\"domainPassword\":{\"metadata\":{\"displayName\":\"domainPassword\"},\"type\":\"String\"},\"domainUsername\":{\"metadata\":{\"displayName\":\"domainUsername\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"keyVaultResourceId\":{\"metadata\":{\"displayName\":\"keyVaultResourceId\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},{\"equals\":\"MicrosoftWindowsServer\",\"field\":\"Microsoft.Compute/imagePublisher\"},{\"equals\":\"WindowsServer\",\"field\":\"Microsoft.Compute/imageOffer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2008-R2-SP1-zhcn\",\"2012-Datacenter\",\"2012-datacenter-gensecond\",\"2012-Datacenter-smalldisk\",\"2012-datacenter-smalldisk-g2\",\"2012-Datacenter-zhcn\",\"2012-datacenter-zhcn-g2\",\"2012-R2-Datacenter\",\"2012-r2-datacenter-gensecond\",\"2012-R2-Datacenter-smalldisk\",\"2012-r2-datacenter-smalldisk-g2\",\"2012-R2-Datacenter-zhcn\",\"2012-r2-datacenter-zhcn-g2\",\"2016-Datacenter\",\"2016-datacenter-gensecond\",\"2016-datacenter-gs\",\"2016-Datacenter-Server-Core\",\"2016-datacenter-server-core-g2\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-datacenter-server-core-smalldisk-g2\",\"2016-Datacenter-smalldisk\",\"2016-datacenter-smalldisk-g2\",\"2016-Datacenter-with-Containers\",\"2016-datacenter-with-containers-g2\",\"2016-Datacenter-with-RDSH\",\"2016-Datacenter-zhcn\",\"2016-datacenter-zhcn-g2\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-datacenter-core-g2\",\"2019-Datacenter-Core-smalldisk\",\"2019-datacenter-core-smalldisk-g2\",\"2019-Datacenter-Core-with-Containers\",\"2019-datacenter-core-with-containers-g2\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-datacenter-core-with-containers-smalldisk-g2\",\"2019-datacenter-gensecond\",\"2019-datacenter-gs\",\"2019-Datacenter-smalldisk\",\"2019-datacenter-smalldisk-g2\",\"2019-Datacenter-with-Containers\",\"2019-datacenter-with-containers-g2\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-datacenter-with-containers-smalldisk-g2\",\"2019-Datacenter-zhcn\",\"2019-datacenter-zhcn-g2\",\"Datacenter-Core-1803-with-Containers-smalldisk\",\"datacenter-core-1803-with-containers-smalldisk-g2\",\"Datacenter-Core-1809-with-Containers-smalldisk\",\"datacenter-core-1809-with-containers-smalldisk-g2\",\"Datacenter-Core-1903-with-Containers-smalldisk\",\"datacenter-core-1903-with-containers-smalldisk-g2\",\"datacenter-core-1909-with-containers-smalldisk\",\"datacenter-core-1909-with-containers-smalldisk-g1\",\"datacenter-core-1909-with-containers-smalldisk-g2\"]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"domainFQDN\":{\"value\":\"[parameters('domainFQDN')]\"},\"domainOUPath\":{\"value\":\"[parameters('domainOUPath')]\"},\"domainPassword\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainPassword')]\"}},\"domainUsername\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainUsername')]\"}},\"keyVaultResourceId\":{\"value\":\"[parameters('keyVaultResourceId')]\"},\"location\":{\"value\":\"[field('location')]\"},\"vmName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"domainFQDN\":{\"type\":\"String\"},\"domainOUPath\":{\"type\":\"String\"},\"domainPassword\":{\"type\":\"securestring\"},\"domainUsername\":{\"type\":\"String\"},\"keyVaultResourceId\":{\"type\":\"String\"},\"location\":{\"type\":\"String\"},\"vmName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2015-06-15\",\"location\":\"[resourceGroup().location]\",\"name\":\"[concat(variables('vmName'),'/joindomain')]\",\"properties\":{\"autoUpgradeMinorVersion\":true,\"protectedSettings\":{\"Password\":\"[parameters('domainPassword')]\"},\"publisher\":\"Microsoft.Compute\",\"settings\":{\"Name\":\"[parameters('domainFQDN')]\",\"OUPath\":\"[parameters('domainOUPath')]\",\"Options\":\"[variables('domainJoinOptions')]\",\"Restart\":\"true\",\"User\":\"[parameters('domainUserName')]\"},\"type\":\"JsonADDomainExtension\",\"typeHandlerVersion\":\"1.3\"},\"type\":\"Microsoft.Compute/virtualMachines/extensions\"}],\"variables\":{\"domainJoinOptions\":3,\"vmName\":\"[parameters('vmName')]\"}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"JsonADDomainExtension\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\"},{\"equals\":\"Microsoft.Compute\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", - "display_name": "Public network access should be disabled for PaaS services", - "management_group_name": "root-id-1", - "name": "Deny-PublicPaaSEndpoints", - "parameters": "{\"ACRPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Container Registires with exposed public endpoints \",\"displayName\":\"Public network access on Azure Container Registry disabled\"},\"type\":\"String\"},\"AFSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure File Sync instances with exposed public endpoints \",\"displayName\":\"Public network access on Azure File Sync disabled\"},\"type\":\"String\"},\"AKSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Kubernetes Service non-private clusters\",\"displayName\":\"Public network access on AKS API should be disabled\"},\"type\":\"String\"},\"BatchPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Azure Batch Instances with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for Azure Batch Instances\"},\"type\":\"String\"},\"CosmosPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies that Cosmos database accounts are created with out public network access is disabled.\",\"displayName\":\"Public network access should be disabled for CosmosDB\"},\"type\":\"String\"},\"KeyVaultPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access should be disabled for KeyVault\"},\"type\":\"String\"},\"MySQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for MySQL Flexible Server\"},\"type\":\"String\"},\"PostgreSQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for PostgreSql Flexible Server\"},\"type\":\"String\"},\"SqlServerPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Sql servers with exposed public endpoints\",\"displayName\":\"Public network access on Azure SQL Database should be disabled\"},\"type\":\"String\"},\"StoragePublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access onStorage accounts should be disabled\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", - "policy_group_names": null, - "reference_id": "CosmosDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", - "policy_group_names": null, - "reference_id": "KeyVaultDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", - "policy_group_names": null, - "reference_id": "SqlServerDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StoragePublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", - "policy_group_names": null, - "reference_id": "StorageDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", - "policy_group_names": null, - "reference_id": "AKSDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", - "policy_group_names": null, - "reference_id": "ACRDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AFSPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "policy_group_names": null, - "reference_id": "AFSDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", - "policy_group_names": null, - "reference_id": "PostgreSQLFlexDenyPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLFlexPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", - "policy_group_names": null, - "reference_id": "MySQLFlexDenyPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", - "policy_group_names": null, - "reference_id": "BatchDenyPublicIP" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", - "display_name": "Deploy Diagnostic Settings to Azure Services", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "name": "Deploy-Diagnostics-LogAnalytics", - "parameters": "{\"ACILogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\"},\"type\":\"String\"},\"ACRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\"},\"type\":\"String\"},\"AKSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\"},\"type\":\"String\"},\"APIMgmtLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for API Management to Log Analytics workspace\"},\"type\":\"String\"},\"APIforFHIRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\"},\"type\":\"String\"},\"AnalysisServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceWebappLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service to Log Analytics workspace\"},\"type\":\"String\"},\"ApplicationGatewayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"AutomationLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Automation to Log Analytics workspace\"},\"type\":\"String\"},\"BatchLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Batch to Log Analytics workspace\"},\"type\":\"String\"},\"CDNEndpointsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\"},\"type\":\"String\"},\"CognitiveServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\"},\"type\":\"String\"},\"CosmosLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\"},\"type\":\"String\"},\"DataExplorerClusterLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\"},\"type\":\"String\"},\"DataFactoryLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeStoreLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\"},\"type\":\"String\"},\"DatabricksLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridSubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\"},\"type\":\"String\"},\"EventHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\"},\"type\":\"String\"},\"EventSystemTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\"},\"type\":\"String\"},\"ExpressRouteLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\"},\"type\":\"String\"},\"FirewallLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\"},\"type\":\"String\"},\"FrontDoorLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\"},\"type\":\"String\"},\"FunctionAppLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\"},\"type\":\"String\"},\"HDInsightLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\"},\"type\":\"String\"},\"IotHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\"},\"type\":\"String\"},\"KeyVaultLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\"},\"type\":\"String\"},\"LoadBalancerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsISELogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsWFLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\"},\"type\":\"String\"},\"MariaDBLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\"},\"type\":\"String\"},\"MediaServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\"},\"type\":\"String\"},\"MlWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\"},\"type\":\"String\"},\"MySQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkNICLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkPublicIPNicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkSecurityGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\"},\"type\":\"String\"},\"PostgreSQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\"},\"type\":\"String\"},\"PowerBIEmbeddedLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\"},\"type\":\"String\"},\"RedisCacheLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\"},\"type\":\"String\"},\"RelayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Relay to Log Analytics workspace\"},\"type\":\"String\"},\"SQLDBsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\"},\"type\":\"String\"},\"SQLElasticPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\"},\"type\":\"String\"},\"SQLMLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\"},\"type\":\"String\"},\"SearchServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\"},\"type\":\"String\"},\"ServiceBusLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\"},\"type\":\"String\"},\"SignalRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\"},\"type\":\"String\"},\"StorageAccountsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\"},\"type\":\"String\"},\"StreamAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"TimeSeriesInsightsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\"},\"type\":\"String\"},\"TrafficManagerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\"},\"type\":\"String\"},\"VMSSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\"},\"type\":\"String\"},\"VNetGWLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualMachinesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualNetworkLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\"},\"type\":\"String\"},\"WVDAppGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace\"},\"type\":\"String\"},\"WVDHostPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace\"},\"type\":\"String\"},\"WVDWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageAccountsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", - "policy_group_names": null, - "reference_id": "StorageAccountDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDAppGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", - "policy_group_names": null, - "reference_id": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", - "policy_group_names": null, - "reference_id": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDHostPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", - "policy_group_names": null, - "reference_id": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACILogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", - "policy_group_names": null, - "reference_id": "ACIDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", - "policy_group_names": null, - "reference_id": "ACRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('AKSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", - "policy_group_names": null, - "reference_id": "AKSDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AnalysisServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", - "policy_group_names": null, - "reference_id": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIforFHIRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", - "policy_group_names": null, - "reference_id": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIMgmtLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", - "policy_group_names": null, - "reference_id": "APIMgmtDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ApplicationGatewayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", - "policy_group_names": null, - "reference_id": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AutomationLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", - "policy_group_names": null, - "reference_id": "AutomationDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", - "policy_group_names": null, - "reference_id": "BatchDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CDNEndpointsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", - "policy_group_names": null, - "reference_id": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", - "policy_group_names": null, - "reference_id": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", - "policy_group_names": null, - "reference_id": "CosmosDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DatabricksLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", - "policy_group_names": null, - "reference_id": "DatabricksDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataExplorerClusterLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", - "policy_group_names": null, - "reference_id": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataFactoryLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", - "policy_group_names": null, - "reference_id": "DataFactoryDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeStoreLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", - "policy_group_names": null, - "reference_id": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", - "policy_group_names": null, - "reference_id": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridSubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", - "policy_group_names": null, - "reference_id": "EventGridSubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", - "policy_group_names": null, - "reference_id": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", - "policy_group_names": null, - "reference_id": "EventHubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventSystemTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", - "policy_group_names": null, - "reference_id": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ExpressRouteLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", - "policy_group_names": null, - "reference_id": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FirewallLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", - "policy_group_names": null, - "reference_id": "FirewallDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FrontDoorLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", - "policy_group_names": null, - "reference_id": "FrontDoorDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionAppLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", - "policy_group_names": null, - "reference_id": "FunctionAppDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('HDInsightLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", - "policy_group_names": null, - "reference_id": "HDInsightDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('IotHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", - "policy_group_names": null, - "reference_id": "IotHubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", - "policy_group_names": null, - "reference_id": "KeyVaultDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LoadBalancerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", - "policy_group_names": null, - "reference_id": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsISELogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", - "policy_group_names": null, - "reference_id": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsWFLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", - "policy_group_names": null, - "reference_id": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MariaDBLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", - "policy_group_names": null, - "reference_id": "MariaDBDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MediaServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", - "policy_group_names": null, - "reference_id": "MediaServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MlWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", - "policy_group_names": null, - "reference_id": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", - "policy_group_names": null, - "reference_id": "MySQLDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", - "policy_group_names": null, - "reference_id": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkNICLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", - "policy_group_names": null, - "reference_id": "NetworkNICDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", - "policy_group_names": null, - "reference_id": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", - "policy_group_names": null, - "reference_id": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"True\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", - "policy_group_names": null, - "reference_id": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", - "policy_group_names": null, - "reference_id": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisCacheLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", - "policy_group_names": null, - "reference_id": "RedisCacheDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RelayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", - "policy_group_names": null, - "reference_id": "RelayDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SearchServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", - "policy_group_names": null, - "reference_id": "SearchServicesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ServiceBusLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", - "policy_group_names": null, - "reference_id": "ServiceBusDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SignalRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", - "policy_group_names": null, - "reference_id": "SignalRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('SQLDBsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", - "policy_group_names": null, - "reference_id": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", - "policy_group_names": null, - "reference_id": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLMLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", - "policy_group_names": null, - "reference_id": "SQLMDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", - "policy_group_names": null, - "reference_id": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", - "policy_group_names": null, - "reference_id": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('TrafficManagerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", - "policy_group_names": null, - "reference_id": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualNetworkLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", - "policy_group_names": null, - "reference_id": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualMachinesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", - "policy_group_names": null, - "reference_id": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VMSSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", - "policy_group_names": null, - "reference_id": "VMSSDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VNetGWLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", - "policy_group_names": null, - "reference_id": "VNetGWDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", - "policy_group_names": null, - "reference_id": "AppServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceWebappLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", - "policy_group_names": null, - "reference_id": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Microsoft Defender for Cloud configuration", - "display_name": "Deploy Microsoft Defender for Cloud configuration", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Security Center\",\"version\":\"3.0.0\"}", - "name": "Deploy-MDFC-Config", - "parameters": "{\"ascExportResourceGroupLocation\":{\"metadata\":{\"description\":\"The location where the resource group and the export to Log Analytics workspace configuration are created.\",\"displayName\":\"Resource Group location for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"ascExportResourceGroupName\":{\"metadata\":{\"description\":\"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\",\"displayName\":\"Resource Group name for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Microsoft Defender for Cloud contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"},\"enableAscForAppServices\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForArm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForContainers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForDns\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForKeyVault\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForOssDb\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForServers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSql\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSqlOnVm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForStorage\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Primary Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForOssDb')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", - "policy_group_names": null, - "reference_id": "defenderForOssDb" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForServers')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", - "policy_group_names": null, - "reference_id": "defenderForVM" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSqlOnVm')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", - "policy_group_names": null, - "reference_id": "defenderForSqlServerVirtualMachines" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForAppServices')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", - "policy_group_names": null, - "reference_id": "defenderForAppServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForStorage')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", - "policy_group_names": null, - "reference_id": "defenderForStorageAccounts" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForContainers')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", - "policy_group_names": null, - "reference_id": "defenderforContainers" - }, - { - "parameter_values": "{\"Effect\":{\"value\":\"[parameters('enableAscForKeyVault')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", - "policy_group_names": null, - "reference_id": "defenderForKeyVaults" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForDns')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", - "policy_group_names": null, - "reference_id": "defenderForDns" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForArm')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", - "policy_group_names": null, - "reference_id": "defenderForArm" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSql')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", - "policy_group_names": null, - "reference_id": "defenderForSqlPaas" - }, - { - "parameter_values": "{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "policy_group_names": null, - "reference_id": "securityEmailContact" - }, - { - "parameter_values": "{\"resourceGroupLocation\":{\"value\":\"[parameters('ascExportResourceGroupLocation')]\"},\"resourceGroupName\":{\"value\":\"[parameters('ascExportResourceGroupName')]\"},\"workspaceResourceId\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", - "policy_group_names": null, - "reference_id": "ascExport" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", - "display_name": "Configure Azure PaaS services to use private DNS zones", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "name": "Deploy-Private-DNS-Zones", - "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAcrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAsrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAsrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureBatchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureBatchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveSearchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureDiskAccessPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureDiskAccessPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridDomainsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridTopicsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventHubNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureFilePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureFilePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotHubsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotHubsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureKeyVaultPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureKeyVaultPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureMachineLearningWorkspacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureRedisCachePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureRedisCachePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureServiceBusNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureSignalRPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureSignalRPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureWebPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureWebPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"effect1\":{\"allowedValues\":[\"deployIfNotExists\",\"Disabled\"],\"defaultValue\":\"deployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureFileprivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-File-Sync" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureWebPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Web" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureBatchPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Batch" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-App" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAsrPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Site-Recovery" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-IoT" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureKeyVaultPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-KeyVault" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureSignalRPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-SignalR" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppServicesPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-AppServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventGridTopics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureDiskAccessPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-DiskAccess" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-CognitiveServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotHubsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-IoTHubs" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventGridDomains" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureRedisCachePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-RedisCache" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAcrPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-ACR" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventHubNamespace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-MachineLearningWorkspace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-ServiceBusNamespace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-CognitiveSearch" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", - "display_name": "Deploy SQL Database built-in SQL security configuration", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "name": "Deploy-Sql-Security", - "parameters": "{\"SqlDbAuditingSettingsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy auditing settings to SQL Database when it not exist in the deployment\",\"displayName\":\"Deploy SQL database auditing settings\"},\"type\":\"String\"},\"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\"displayName\":\"Deploy SQL Database security Alert Policies configuration with email admin accounts\"},\"type\":\"String\"},\"SqlDbTdeDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\"displayName\":\"Deploy SQL Database Transparent Data Encryption \"},\"type\":\"String\"},\"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\"displayName\":\"Deploy SQL Database vulnerability Assessments\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", - "policy_group_names": null, - "reference_id": "SqlDbTdeDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", - "policy_group_names": null, - "reference_id": "SqlDbSecurityAlertPoliciesDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", - "policy_group_names": null, - "reference_id": "SqlDbAuditingSettingsDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", - "policy_group_names": null, - "reference_id": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", - "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", - "name": "Enforce-EncryptTransit", - "parameters": "{\"AKSIngressHttpsOnlyEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"deny\",\"metadata\":{\"description\":\"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\",\"displayName\":\"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\"},\"type\":\"String\"},\"APIAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"APIAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service API App. Latest TLS version should be used in your API App\"},\"type\":\"String\"},\"AppServiceHttpEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\"},\"type\":\"String\"},\"AppServiceTlsVersionEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\"},\"type\":\"String\"},\"AppServiceminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"App Service. Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"App Service. Select version minimum TLS Web App config\"},\"type\":\"String\"},\"FunctionLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Function App. Latest TLS version should be used in your Function App\"},\"type\":\"String\"},\"FunctionServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"MySQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"MySQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\"},\"type\":\"String\"},\"MySQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"MySQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\"},\"type\":\"String\"},\"PostgreSQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"PostgreSQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"RedisMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Azure Cache for Redis to enforce\",\"displayName\":\"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSDeployEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\"displayName\":\"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\"},\"type\":\"String\"},\"SQLManagedInstanceMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure Managed Instanceto to enforce\",\"displayName\":\"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\"},\"type\":\"String\"},\"SQLManagedInstanceTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLManagedInstanceTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"SQL Managed Instance should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLServerTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"Azure SQL Database should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure SQL Database to enforce\",\"displayName\":\"Azure SQL Database.Select version minimum TLS for Azure SQL Database\"},\"type\":\"String\"},\"StorageDeployHttpsEnabledEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageHttpsEnabledEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageminimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"},\"WebAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"WebAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Web App. Latest TLS version should be used in your Web App\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceHttpEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "policy_group_names": null, - "reference_id": "AppServiceHttpEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceTlsVersionEffect')]\"},\"minTlsVersion\":{\"value\":\"[parameters('AppServiceminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "policy_group_names": null, - "reference_id": "AppServiceminTlsVersion" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", - "policy_group_names": null, - "reference_id": "APIAppServiceLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", - "policy_group_names": null, - "reference_id": "FunctionLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", - "policy_group_names": null, - "reference_id": "WebAppServiceLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "policy_group_names": null, - "reference_id": "APIAppServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "policy_group_names": null, - "reference_id": "FunctionServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "policy_group_names": null, - "reference_id": "WebAppServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSIngressHttpsOnlyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "policy_group_names": null, - "reference_id": "AKSIngressHttpsOnlyEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "policy_group_names": null, - "reference_id": "MySQLEnableSSLDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "policy_group_names": null, - "reference_id": "MySQLEnableSSLEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "policy_group_names": null, - "reference_id": "PostgreSQLEnableSSLDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "policy_group_names": null, - "reference_id": "PostgreSQLEnableSSLEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "policy_group_names": null, - "reference_id": "RedisTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "policy_group_names": null, - "reference_id": "RedisdisableNonSslPort" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "policy_group_names": null, - "reference_id": "RedisDenyhttps" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "policy_group_names": null, - "reference_id": "SQLManagedInstanceTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "policy_group_names": null, - "reference_id": "SQLManagedInstanceTLSEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "policy_group_names": null, - "reference_id": "SQLServerTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "policy_group_names": null, - "reference_id": "SQLServerTLSEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "policy_group_names": null, - "reference_id": "StorageHttpsEnabledEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageDeployHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "policy_group_names": null, - "reference_id": "StorageDeployHttpsEnabledEffect" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "display_name": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "management_group_name": "root-id-1", - "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", - "name": "Enforce-Encryption-CMK", - "parameters": "{\"ACRCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\"displayName\":\"Container registries should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"},\"AksCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\",\"displayName\":\"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\"},\"type\":\"String\"},\"AzureBatchCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\",\"displayName\":\"Azure Batch account should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"CognitiveServicesCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\"},\"type\":\"String\"},\"CosmosCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"DataBoxCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\",\"displayName\":\"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\"},\"type\":\"String\"},\"EncryptedVMDisksEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\",\"displayName\":\"Disk encryption should be applied on virtual machines\"},\"type\":\"String\"},\"HealthcareAPIsCMKEffect\":{\"allowedValues\":[\"audit\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\",\"displayName\":\"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\"},\"type\":\"String\"},\"MySQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure MySQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"PostgreSQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure PostgreSQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"SqlServerTDECMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\"displayName\":\"SQL servers should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"StorageCMKEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\"displayName\":\"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\"},\"type\":\"String\"},\"StreamAnalyticsCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\",\"displayName\":\"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"SynapseWorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\",\"displayName\":\"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"WorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\"displayName\":\"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRCmkEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", - "policy_group_names": null, - "reference_id": "ACRCmkDeny" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AksCmkEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", - "policy_group_names": null, - "reference_id": "AksCmkDeny" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WorkspaceCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", - "policy_group_names": null, - "reference_id": "WorkspaceCMK" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "policy_group_names": null, - "reference_id": "CognitiveServicesCMK" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", - "policy_group_names": null, - "reference_id": "CosmosCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataBoxCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", - "policy_group_names": null, - "reference_id": "DataBoxCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", - "policy_group_names": null, - "reference_id": "StreamAnalyticsCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SynapseWorkspaceCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", - "policy_group_names": null, - "reference_id": "SynapseWorkspaceCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", - "policy_group_names": null, - "reference_id": "StorageCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", - "policy_group_names": null, - "reference_id": "MySQLCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", - "policy_group_names": null, - "reference_id": "PostgreSQLCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerTDECMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", - "policy_group_names": null, - "reference_id": "SqlServerTDECMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('HealthcareAPIsCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", - "policy_group_names": null, - "reference_id": "HealthcareAPIsCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AzureBatchCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", - "policy_group_names": null, - "reference_id": "AzureBatchCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EncryptedVMDisksEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", - "policy_group_names": null, - "reference_id": "EncryptedVMDisksEffect" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "2c342278-007c-54fe-9248-9b595e234ba9", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "913f587c-77a4-5440-ba16-48de7d0080d2", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "cfaa2796-3156-5c78-94a2-7c017ffe32bb", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "3621f075-0492-5ec9-a8ad-40d284e3e4d1", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "7045a468-5463-57ef-85af-cd7f5397aa16", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "78b4dff1-81d0-5991-aec4-332fdce426cb", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "926ac02b-01f3-57dc-b7d0-b7a1056019f4", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "a3ca23ea-bd49-51a5-a288-c88857197d75", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-management", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "130a22c1-674c-5a2a-b818-15ffc7d51207", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "19d1b7bb-0519-5651-91ab-25499f1709ad", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "281224b7-afc9-5e49-8553-8ca4d6c01a8a", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "4a679915-ced3-5c00-88d6-4f66597b95a4", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "4e722adf-bfdc-516b-9dde-5eff6fbd980e", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "5ff839a8-6bd0-5967-b385-4340bdeda854", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "6ebb856f-5448-5efc-9dc4-07e7065dc6ff", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "7eaea779-6033-5588-93af-e5dd34f731ab", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "7f9a44eb-87f1-5b90-bcff-fcf48b20b251", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "95eb7160-7dee-545e-8f03-79c8f032e209", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "a77036d7-9519-59c5-8a42-5fc5ebe92c6c", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_1.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]", - "mode": "managed", - "type": "azurerm_role_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 1, - "values": { - "assignable_scopes": [ - "/providers/Microsoft.Management/managementGroups/root-id-1" - ], - "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.", - "name": "[ROOT-ID-1] Network-Subnet-Contributor", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Network/*/read", - "Microsoft.Network/virtualNetworks/subnets/*" - ], - "data_actions": null, - "not_actions": [], - "not_data_actions": null - } - ], - "role_definition_id": "6a8ddaca-120a-579a-a375-1abe30d29f6d", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", - "timeouts": null - }, - "sensitive_values": { - "assignable_scopes": [ - false - ], - "permissions": [ - { - "actions": [ - false, - false, - false, - false, - false, - false, - false, - false - ], - "not_actions": [] - } - ] - } - }, - { - "address": "module.test_root_id_1.time_sleep.after_azurerm_management_group", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_management_group", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "120s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", - "azurerm_management_group_level_2": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\",\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", - "azurerm_management_group_level_3": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management\"]", - "azurerm_management_group_level_4": "[]", - "azurerm_management_group_level_5": "[]", - "azurerm_management_group_level_6": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_1.time_sleep.after_azurerm_policy_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_1.time_sleep.after_azurerm_policy_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_1.time_sleep.after_azurerm_policy_set_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_set_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_set_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_1.time_sleep.after_azurerm_role_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_assignment_enterprise_scale": "[]", - "azurerm_policy_assignment_policy_assignment": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_1.time_sleep.after_azurerm_role_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_role_definition_enterprise_scale": "[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - } - ], - "address": "module.test_root_id_1" - }, - { - "resources": [ - { - "address": "module.test_root_id_2.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-2\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_1", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "root-name-2", - "name": "root-id-2", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/dac8feee-8768-4fbd-9cf9-9d96d4718018", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-2-decommissioned\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-decommissioned", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Decommissioned", - "name": "root-id-2-decommissioned", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Landing Zones", - "name": "root-id-2-landing-zones", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-2-platform\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-platform", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Platform", - "name": "root-id-2-platform", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-2-sandboxes\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-sandboxes", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Sandboxes", - "name": "root-id-2-sandboxes", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-connectivity\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-connectivity", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Connectivity", - "name": "root-id-2-connectivity", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-corp\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-corp", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Corp", - "name": "root-id-2-corp", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Corp (Demo)", - "name": "root-id-2-demo-corp", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-online\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-online", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Online (Demo)", - "name": "root-id-2-demo-online", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-sap\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-sap", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "SAP (Demo)", - "name": "root-id-2-demo-sap", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Identity", - "name": "root-id-2-identity", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-management\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-management", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Management", - "name": "root-id-2-management", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-online\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-online", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Online", - "name": "root-id-2-online", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-2-sap\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-sap", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "SAP", - "name": "root-id-2-sap", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-connectivity", - "name": "Enable-DDoS-VNET", - "not_scopes": [], - "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-2-ddos-eastus\"},\"effect\":{\"value\":\"Modify\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", - "display_name": "Public network access should be disabled for PaaS services", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-corp", - "name": "Deny-Public-Endpoints", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", - "display_name": "Configure Azure PaaS services to use private DNS zones", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-corp", - "name": "Deploy-Private-DNS-Zones", - "not_scopes": [], - "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io\"},\"azureAppPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io\"},\"azureAppServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net\"},\"azureAsrPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.siterecovery.windowsazure.com\"},\"azureBatchPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.batch.azure.com\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com\"},\"azureDiskAccessPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureFilePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net\"},\"azureIoTPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net\"},\"azureIotHubsPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net\"},\"azureKeyVaultPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms\"},\"azureRedisCachePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureSignalRPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net\"},\"azureWebPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", - "display_name": "Public network access should be disabled for PaaS services", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp", - "name": "Deny-Public-Endpoints", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", - "display_name": "Configure Azure PaaS services to use private DNS zones", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp", - "name": "Deploy-Private-DNS-Zones", - "not_scopes": [], - "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io\"},\"azureAppPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io\"},\"azureAppServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net\"},\"azureAsrPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/eastus.privatelink.siterecovery.windowsazure.com\"},\"azureBatchPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.batch.azure.com\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com\"},\"azureDiskAccessPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureFilePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net\"},\"azureIoTPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net\"},\"azureIotHubsPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net\"},\"azureKeyVaultPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms\"},\"azureRedisCachePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureSignalRPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net\"},\"azureWebPrivateDnsZoneId\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-dns/providers/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies creation of Public IPs under the assigned scope.", - "display_name": "Deny the creation of public IP", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "name": "Deny-Public-IP", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet.", - "display_name": "RDP access from the Internet should be blocked", - "enforce": false, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "name": "Deny-RDP-From-Internet", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", - "display_name": "Subnets should have a Network Security Group", - "enforce": false, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "name": "Deny-Subnet-Without-Nsg", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", - "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "name": "Deploy-VM-Backup", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deployIfNotExists\"},\"exclusionTagName\":{\"value\":\"\"},\"exclusionTagValue\":{\"value\":[]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", - "display_name": "Network interfaces should disable IP forwarding", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deny-IP-Forwarding", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes cluster should not allow privileged containers", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deny-Priv-Containers-AKS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes clusters should not allow container privilege escalation", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deny-Priv-Escalation-AKS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet.", - "display_name": "RDP access from the Internet should be blocked", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deny-RDP-From-Internet", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", - "display_name": "Secure transfer to storage accounts should be enabled", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deny-Storage-http", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", - "display_name": "Subnets should have a Network Security Group", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deny-Subnet-Without-Nsg", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "display_name": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deploy-AKS-Policy", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", - "display_name": "Auditing on SQL server should be enabled", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deploy-SQL-DB-Auditing", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", - "display_name": "Deploy Threat Detection on SQL servers", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deploy-SQL-Threat", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", - "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Deploy-VM-Backup", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Enable-DDoS-VNET", - "not_scopes": [], - "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-2-ddos-eastus\"},\"effect\":{\"value\":\"Modify\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes clusters should be accessible only over HTTPS", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Enforce-AKS-HTTPS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", - "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "name": "Enforce-TLS-SSL", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy-Log-Analytics.", - "display_name": "Deploy-Log-Analytics", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2-management", - "name": "Deploy-Log-Analytics", - "not_scopes": [], - "parameters": "{\"automationAccountName\":{\"value\":\"root-id-2-automation\"},\"automationRegion\":{\"value\":\"eastus\"},\"dataRetention\":{\"value\":\"30\"},\"effect\":{\"value\":\"DeployIfNotExists\"},\"rgName\":{\"value\":\"root-id-2-mgmt\"},\"sku\":{\"value\":\"pergb2018\"},\"workspaceName\":{\"value\":\"root-id-2-la\"},\"workspaceRegion\":{\"value\":\"eastus\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Monitoring in Azure Security Center.", - "display_name": "Enable Monitoring in Azure Security Center", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-ASC-Monitoring", - "not_scopes": [], - "parameters": "{\"aadAuthenticationInSqlServerMonitoringEffect\":{\"value\":\"Disabled\"},\"diskEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"encryptionOfAutomationAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateLessThanOwnersMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateMoreThanOneOwnerMonitoringEffect\":{\"value\":\"Disabled\"},\"identityEnableMFAForWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"jitNetworkAccessMonitoringEffect\":{\"value\":\"Disabled\"},\"networkSecurityGroupsOnSubnetsMonitoringEffect\":{\"value\":\"AuditIfNotExists\"},\"sqlDbEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityMonitoringEffect\":{\"value\":\"Disabled\"},\"systemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"useRbacRulesMonitoringEffect\":{\"value\":\"Disabled\"},\"vmssSystemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"windowsDefenderExploitGuardMonitoringEffect\":{\"value\":\"Disabled\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", - "display_name": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-AzActivity-Log", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy-Linux-Arc-Monitoring.", - "display_name": "Deploy-Linux-Arc-Monitoring", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-LX-Arc-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Microsoft Defender for Cloud and Security Contacts", - "display_name": "Deploy Microsoft Defender for Cloud configuration", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-MDFC-Config", - "not_scopes": [], - "parameters": "{\"ascExportResourceGroupLocation\":{\"value\":\"eastus\"},\"ascExportResourceGroupName\":{\"value\":\"root-id-2-asc-export\"},\"emailSecurityContact\":{\"value\":\"security_contact@replace_me\"},\"enableAscForAppServices\":{\"value\":\"DeployIfNotExists\"},\"enableAscForArm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForContainers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForDns\":{\"value\":\"DeployIfNotExists\"},\"enableAscForKeyVault\":{\"value\":\"DeployIfNotExists\"},\"enableAscForOssDb\":{\"value\":\"DeployIfNotExists\"},\"enableAscForServers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSql\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSqlOnVm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForStorage\":{\"value\":\"DeployIfNotExists\"},\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", - "display_name": "Deploy-Resource-Diag", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-Resource-Diag", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", - "display_name": "Enable Azure Monitor for VMs", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-VM-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", - "display_name": "Enable Azure Monitor for Virtual Machine Scale Sets", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-VMSS-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", - "display_name": "Deploy-Windows-Arc-Monitoring", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-2", - "name": "Deploy-WS-Arc-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-2-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-2-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", - "display_name": "AppService append enable https only setting to enforce https setting.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Append-AppService-httpsonly", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"notequals\":true}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"value\":true}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", - "display_name": "AppService append sites with minimum TLS version to enforce.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Append-AppService-latestTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"Select version minimum TLS Web App config\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites/config\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"notEquals\":\"[parameters('minTlsVersion')]\"}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"value\":\"[parameters('minTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", - "display_name": "KeyVault SoftDelete should be enabled", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Key Vault\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-KV-SoftDelete", - "parameters": null, - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.KeyVault/vaults\",\"field\":\"type\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"notEquals\":true}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"value\":true}],\"effect\":\"append\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-Redis-disableNonSslPort", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\",\"Modify\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"value\":false}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-Redis-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Cache for Redis to enforce\",\"displayName\":\"Select version for Redis server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"value\":\"[parameters('minimumTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", - "display_name": "Control private endpoint connections to Azure Machine Learning", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Audit-MachineLearning-PrivateEndpointId", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\",\"field\":\"type\"},{\"equals\":\"Approved\",\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\"},{\"notEquals\":\"[subscription().subscriptionId]\",\"value\":\"[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of child resources on the Automation Account", - "display_name": "No child resources in Automation Account", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Automation\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AA-child-resources", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Automation/automationAccounts/runbooks\",\"Microsoft.Automation/automationAccounts/variables\",\"Microsoft.Automation/automationAccounts/modules\",\"Microsoft.Automation/automationAccounts/credentials\",\"Microsoft.Automation/automationAccounts/connections\",\"Microsoft.Automation/automationAccounts/certificates\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", - "display_name": "Application Gateway should be deployed with WAF enabled", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppGW-Without-WAF", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/applicationGateways/sku.name\",\"notequals\":\"WAF_v2\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "API App should only be accessible over HTTPS", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceApiApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "Function App should only be accessible over HTTPS", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceFunctionApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "Web Application should only be accessible over HTTPS", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceWebApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", - "display_name": "Deny public IPs for Databricks cluster", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-NoPublicIp", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\"notEquals\":true}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "display_name": "Deny non-premium Databricks sku", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-Sku", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/sku.name\",\"notEquals\":\"premium\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces the use of vnet injection for Databricks workspaces.", - "display_name": "Deny Databricks workspaces without Vnet injection", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-VirtualNetwork", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", - "display_name": "Deny AKS cluster creation in Azure Machine Learning", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Aks", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AKS\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/resourceId\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", - "display_name": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Compute-SubnetId", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", - "display_name": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Compute-VmSize", - "parameters": "{\"allowedVmSizes\":{\"defaultValue\":[\"Standard_D1_v2\",\"Standard_D2_v2\",\"Standard_D3_v2\",\"Standard_D4_v2\",\"Standard_D11_v2\",\"Standard_D12_v2\",\"Standard_D13_v2\",\"Standard_D14_v2\",\"Standard_DS1_v2\",\"Standard_DS2_v2\",\"Standard_DS3_v2\",\"Standard_DS4_v2\",\"Standard_DS5_v2\",\"Standard_DS11_v2\",\"Standard_DS12_v2\",\"Standard_DS13_v2\",\"Standard_DS14_v2\",\"Standard_M8-2ms\",\"Standard_M8-4ms\",\"Standard_M8ms\",\"Standard_M16-4ms\",\"Standard_M16-8ms\",\"Standard_M16ms\",\"Standard_M32-8ms\",\"Standard_M32-16ms\",\"Standard_M32ls\",\"Standard_M32ms\",\"Standard_M32ts\",\"Standard_M64-16ms\",\"Standard_M64-32ms\",\"Standard_M64ls\",\"Standard_M64ms\",\"Standard_M64s\",\"Standard_M128-32ms\",\"Standard_M128-64ms\",\"Standard_M128ms\",\"Standard_M128s\",\"Standard_M64\",\"Standard_M64m\",\"Standard_M128\",\"Standard_M128m\",\"Standard_D1\",\"Standard_D2\",\"Standard_D3\",\"Standard_D4\",\"Standard_D11\",\"Standard_D12\",\"Standard_D13\",\"Standard_D14\",\"Standard_DS15_v2\",\"Standard_NV6\",\"Standard_NV12\",\"Standard_NV24\",\"Standard_F2s_v2\",\"Standard_F4s_v2\",\"Standard_F8s_v2\",\"Standard_F16s_v2\",\"Standard_F32s_v2\",\"Standard_F64s_v2\",\"Standard_F72s_v2\",\"Standard_NC6s_v3\",\"Standard_NC12s_v3\",\"Standard_NC24rs_v3\",\"Standard_NC24s_v3\",\"Standard_NC6\",\"Standard_NC12\",\"Standard_NC24\",\"Standard_NC24r\",\"Standard_ND6s\",\"Standard_ND12s\",\"Standard_ND24rs\",\"Standard_ND24s\",\"Standard_NC6s_v2\",\"Standard_NC12s_v2\",\"Standard_NC24rs_v2\",\"Standard_NC24s_v2\",\"Standard_ND40rs_v2\",\"Standard_NV12s_v3\",\"Standard_NV24s_v3\",\"Standard_NV48s_v3\"],\"metadata\":{\"description\":\"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\",\"displayName\":\"Allowed VM Sizes for Aml Compute Clusters and Instances\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\"notIn\":\"[parameters('allowedVmSizes')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny public access of Azure Machine Learning clusters via SSH.", - "display_name": "Deny public access of Azure Machine Learning clusters via SSH", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\"notEquals\":\"Disabled\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce scale settings for Azure Machine Learning compute clusters.", - "display_name": "Enforce scale settings for Azure Machine Learning compute clusters", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-ComputeCluster-Scale", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"maxNodeCount\":{\"defaultValue\":10,\"metadata\":{\"description\":\"Specifies the maximum node count of AML Clusters\",\"displayName\":\"Maximum Node Count\"},\"type\":\"Integer\"},\"maxNodeIdleTimeInSecondsBeforeScaleDown\":{\"defaultValue\":900,\"metadata\":{\"description\":\"Specifies the maximum node idle time in seconds before scaledown\",\"displayName\":\"Maximum Node Idle Time in Seconds Before Scaledown\"},\"type\":\"Integer\"},\"minNodeCount\":{\"defaultValue\":0,\"metadata\":{\"description\":\"Specifies the minimum node count of AML Clusters\",\"displayName\":\"Minimum Node Count\"},\"type\":\"Integer\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\"greater\":\"[parameters('maxNodeCount')]\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\"greater\":\"[parameters('minNodeCount')]\"},{\"greater\":\"[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\",\"value\":\"[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces high business impact Azure Machine Learning workspaces.", - "display_name": "Enforces high business impact Azure Machine Learning Workspaces", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-HbiWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\"notEquals\":true}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", - "display_name": "Deny public acces behind vnet to Azure Machine Learning workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\"notEquals\":false}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Denies public network access for Azure Machine Learning workspaces.", - "display_name": "Azure Machine Learning should have disabled public network access", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-PublicNetworkAccess", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\"notEquals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "MySQL database servers enforce SSL connections.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MySql-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "PostgreSQL database servers enforce SSL connection.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.1\"}", - "mode": "Indexed", - "name": "Deny-PostgreSql-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", - "display_name": "Deny the creation of private DNS", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Private-DNS-Zones", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/privateDnsZones\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", - "display_name": "Public network access should be disabled for MariaDB", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-PublicEndpoint-MariaDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\"notequals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies creation of Public IPs under the assigned scope.", - "display_name": "Deny the creation of public IP", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-PublicIP", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/publicIPAddresses\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet", - "display_name": "RDP access from the Internet should be blocked", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deny-RDP-From-Internet", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\",\"field\":\"type\"},{\"allOf\":[{\"equals\":\"Allow\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\"},{\"equals\":\"Inbound\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\"},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"3389\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"true\",\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"equals\":\"true\",\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"equals\":\"Internet\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "display_name": "Azure Cache for Redis only secure connections should be enabled", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Redis-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select minimum TLS version for Azure Cache for Redis.\",\"displayName\":\"Select minumum TLS version for Azure Cache for Redis.\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"},{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", - "display_name": "Azure SQL Database should have the minimal TLS version set to the highest version", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Sql-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", - "display_name": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-SqlMi-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "display_name": "Storage Account set to minumum TLS and Secure transfer should be enabled", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Storage-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"allOf\":[{\"less\":\"2019-04-01\",\"value\":\"[requestContext().apiVersion]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", - "display_name": "Subnets should have a Network Security Group", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", - "mode": "All", - "name": "Deny-Subnet-Without-Nsg", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"GatewaySubnet\",\"AzureFirewallSubnet\",\"AzureFirewallManagementSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", - "display_name": "Subnets should have a User Defined Route", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", - "mode": "All", - "name": "Deny-Subnet-Without-Udr", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"AzureBastionSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/routeTable.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", - "display_name": "Deny vNet peering cross subscription.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", - "mode": "All", - "name": "Deny-VNET-Peer-Cross-Sub", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\"notcontains\":\"[subscription().id]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of vNet Peerings under the assigned scope.", - "display_name": "Deny vNet peering ", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", - "mode": "All", - "name": "Deny-VNet-Peering", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Azure Security Center Security Contacts", - "display_name": "Deploy Azure Security Center Security Contacts", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Security Center\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-ASC-SecurityContacts", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Azure Security Center contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"emailSecurityContact\":{\"metadata\":{\"description\":\"Security contacts email address\"},\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2020-01-01-preview\",\"name\":\"default\",\"properties\":{\"alertNotifications\":{\"minimalSeverity\":\"High\",\"state\":\"On\"},\"emails\":\"[parameters('emailSecurityContact')]\",\"notificationsByRole\":{\"roles\":[\"Owner\"],\"state\":\"On\"}},\"type\":\"Microsoft.Security/securityContacts\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"contains\":\"[parameters('emailSecurityContact')]\",\"field\":\"Microsoft.Security/securityContacts/email\"},{\"equals\":\"Microsoft.Security/securityContacts\",\"field\":\"type\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertNotifications\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"type\":\"Microsoft.Security/securityContacts\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a default budget on all subscriptions under the assigned scope", - "display_name": "Deploy a default budget on all subscriptions under the assigned scope", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.1.0\"}", - "mode": "All", - "name": "Deploy-Budget", - "parameters": "{\"amount\":{\"defaultValue\":\"1000\",\"metadata\":{\"description\":\"The total amount of cost or usage to track with the budget\"},\"type\":\"String\"},\"budgetName\":{\"defaultValue\":\"budget-set-by-policy\",\"metadata\":{\"description\":\"The name for the budget to be created\"},\"type\":\"String\"},\"contactEmails\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"contactGroups\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"},\"type\":\"Array\"},\"contactRoles\":{\"defaultValue\":[\"Owner\",\"Contributor\"],\"metadata\":{\"description\":\"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\"},\"type\":\"String\"},\"firstThreshold\":{\"defaultValue\":\"90\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"secondThreshold\":{\"defaultValue\":\"100\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"timeGrain\":{\"allowedValues\":[\"Monthly\",\"Quarterly\",\"Annually\",\"BillingMonth\",\"BillingQuarter\",\"BillingAnnual\"],\"defaultValue\":\"Monthly\",\"metadata\":{\"description\":\"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"amount\":{\"value\":\"[parameters('amount')]\"},\"budgetName\":{\"value\":\"[parameters('budgetName')]\"},\"contactEmails\":{\"value\":\"[parameters('contactEmails')]\"},\"contactGroups\":{\"value\":\"[parameters('contactGroups')]\"},\"contactRoles\":{\"value\":\"[parameters('contactRoles')]\"},\"firstThreshold\":{\"value\":\"[parameters('firstThreshold')]\"},\"secondThreshold\":{\"value\":\"[parameters('secondThreshold')]\"},\"timeGrain\":{\"value\":\"[parameters('timeGrain')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"amount\":{\"type\":\"String\"},\"budgetName\":{\"type\":\"String\"},\"contactEmails\":{\"type\":\"Array\"},\"contactGroups\":{\"type\":\"Array\"},\"contactRoles\":{\"type\":\"Array\"},\"firstThreshold\":{\"type\":\"String\"},\"secondThreshold\":{\"type\":\"String\"},\"startDate\":{\"defaultValue\":\"[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\",\"type\":\"String\"},\"timeGrain\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[parameters('budgetName')]\",\"properties\":{\"amount\":\"[parameters('amount')]\",\"category\":\"Cost\",\"notifications\":{\"NotificationForExceededBudget1\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('firstThreshold')]\"},\"NotificationForExceededBudget2\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('secondThreshold')]\"}},\"timeGrain\":\"[parameters('timeGrain')]\",\"timePeriod\":{\"startDate\":\"[parameters('startDate')]\"}},\"type\":\"Microsoft.Consumption/budgets\"}]}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('amount')]\",\"field\":\"Microsoft.Consumption/budgets/amount\"},{\"equals\":\"[parameters('timeGrain')]\",\"field\":\"Microsoft.Consumption/budgets/timeGrain\"},{\"equals\":\"Cost\",\"field\":\"Microsoft.Consumption/budgets/category\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Consumption/budgets\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", - "display_name": "Deploy a route table with specific user defined routes", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Custom-Route-Table", - "parameters": "{\"disableBgpPropagation\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Disable BGP Propagation\",\"displayName\":\"DisableBgpPropagation\"},\"type\":\"Boolean\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"requiredRoutes\":{\"metadata\":{\"description\":\"Routes that must exist in compliant route tables deployed by this policy\",\"displayName\":\"requiredRoutes\"},\"type\":\"Array\"},\"routeTableName\":{\"metadata\":{\"description\":\"Name of the route table automatically deployed by this policy\",\"displayName\":\"routeTableName\"},\"type\":\"String\"},\"vnetRegion\":{\"metadata\":{\"description\":\"Only VNets in this region will be evaluated against this policy\",\"displayName\":\"vnetRegion\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"equals\":\"[parameters('vnetRegion')]\",\"field\":\"location\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"name\":\"routeTableDepl\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"location\":\"[[parameters('vnetRegion')]\",\"name\":\"[[parameters('routeTableName')]\",\"properties\":{\"copy\":\"[variables('copyLoop')]\",\"disableBgpRoutePropagation\":\"[[parameters('disableBgpPropagation')]\"},\"type\":\"Microsoft.Network/routeTables\"}]}},\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"copyLoop\":[{\"count\":\"[[length(parameters('requiredRoutes'))]\",\"input\":{\"name\":\"[[concat('route-',copyIndex('routes'))]\",\"properties\":{\"addressPrefix\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\"nextHopIpAddress\":\"[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\",\"nextHopType\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\"}},\"name\":\"routes\"}]}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('routeTableName')]\",\"field\":\"name\"},{\"count\":{\"field\":\"Microsoft.Network/routeTables/routes[*]\",\"where\":{\"in\":\"[parameters('requiredRoutes')]\",\"value\":\"[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\"}},\"equals\":\"[length(parameters('requiredRoutes'))]\"}]},\"roleDefinitionIds\":[\"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/routeTables\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys an Azure DDoS Protection Standard plan", - "display_name": "Deploy an Azure DDoS Protection Standard plan", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-DDoSProtection", - "parameters": "{\"ddosName\":{\"metadata\":{\"description\":\"DDoSVnet\",\"displayName\":\"ddosName\"},\"type\":\"String\"},\"ddosRegion\":{\"metadata\":{\"description\":\"DDoSVnet location\",\"displayName\":\"ddosRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"ddosname\":{\"value\":\"[parameters('ddosname')]\"},\"ddosregion\":{\"value\":\"[parameters('ddosRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"ddosRegion\":{\"type\":\"String\"},\"ddosname\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"ddosprotection\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-12-01\",\"location\":\"[parameters('ddosRegion')]\",\"name\":\"[parameters('ddosName')]\",\"properties\":{},\"type\":\"Microsoft.Network/ddosProtectionPlans\"}]}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('ddosName')]\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/ddosProtectionPlans\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-AA", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Automation/automationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"JobLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobStreams\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DscNodeStatus\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", - "display_name": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ACI", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerInstance/containerGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", - "display_name": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ACR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerRegistry/registries\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ContainerRegistryLoginEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ContainerRegistryRepositoryEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-APIMgmt", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ApiManagement/service\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ApiManagement/service/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-AnalysisService", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.AnalysisServices/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Service\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ApiForFHIR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HealthcareApis/services\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HealthcareApis/services/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ApplicationGateway", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ApplicationGatewayAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayPerformanceLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/applicationGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CDNEndpoints", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cdn/profiles/endpoints\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"CoreAnalytics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CognitiveServices", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.CognitiveServices/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RequestResponse\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Trace\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CosmosDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DocumentDB/databaseAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DataPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MongoRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyRUConsumption\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ControlPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CassandraRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"GremlinRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Requests\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DLAnalytics", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataLakeAnalytics/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DataExplorerCluster", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Kusto/Clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"SucceededIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FailedIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IngestionBatching\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Command\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Query\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableUsageStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableDetails\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Kusto/Clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DataFactory", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataFactory/factories\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ActivityRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PipelineRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TriggerRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessages\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutableStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessageContext\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionComponentPhases\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionDataStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISIntegrationRuntimeLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataFactory/factories/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Databricks", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"dbfs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"clusters\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"accounts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"jobs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"notebook\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ssh\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"workspace\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"secrets\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"sqlPermissions\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"instancePools\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Databricks/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridSub", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/eventSubscriptions\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridSystemTopic", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/systemTopics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridTopic", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/topics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PublishFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/topics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ExpressRoute", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/expressRouteCircuits\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PeeringRouteLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Firewall", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/azureFirewalls\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AzureFirewallApplicationRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallNetworkRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallDnsProxy\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-FrontDoor", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/frontDoors\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FrontdoorAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/frontDoors/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Function", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"contains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FunctionAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-HDInsight", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HDInsight/clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HDInsight/clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-LoadBalancer", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/loadBalancers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"LoadBalancerAlertEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"LoadBalancerProbeHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/loadBalancers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-LogicAppsISE", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Logic/integrationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"IntegrationAccountTrackingEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MariaDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MediaService", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Media/mediaServices\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"KeyDeliveryRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Media/mediaServices/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MlWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AmlComputeClusterEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeClusterNodeEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeJobEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeCpuGpuUtilization\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlRunStatusChangedEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Run\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Model\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":true}},{\"category\":\"Quota\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Resource\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MySQL", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-NIC", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkInterfaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-NetworkSecurityGroups", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-PostgreSQL", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PostgreSQLLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-PowerBIEmbedded", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.PowerBIDedicated/capacities\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-RedisCache", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cache/redis/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Relay", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Relay/namespaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"HybridConnectionsEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Relay/namespaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SQLElasticPools", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/elasticPools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SQLMI", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ResourceUsageStats\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DevOpsOperationsAudit\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/managedInstances/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SignalR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.SignalRService/SignalR\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AllLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-TimeSeriesInsights", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.TimeSeriesInsights/environments\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Ingress\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-TrafficManager", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/trafficManagerProfiles\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ProbeHealthStatusEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VM", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VMSS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", - "display_name": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VNetGW", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworkGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IKEDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"P2SDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TunnelDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VirtualNetwork", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"VMProtectionAlerts\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDAppGroup", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/applicationGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDHostPools", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/hostpools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Connection\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"HostRegistration\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AgentHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Feed\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WebServerFarm", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Web/serverfarms\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/serverfarms/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Website", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"notContains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AppServiceAntivirusScanAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceConsoleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceFileAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceIPSecAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServicePlatformLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-iotHub", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Devices/IotHubs\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Connections\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceTelemetry\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DCommands\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceIdentityOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FileUploadOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Routes\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"D2CTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TwinQueries\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobsOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DirectMethods\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DistributedTracing\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Configurations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceStreams\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Devices/IotHubs/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", - "display_name": "Deploy Azure Firewall Manager policy in the subscription", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-FirewallPolicy", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"fwPolicyRegion\":{\"metadata\":{\"description\":\"Select Azure region for Azure Firewall Policy\",\"displayName\":\"fwPolicyRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"fwpolicy\":{\"defaultValue\":{},\"metadata\":{\"description\":\"Object describing Azure Firewall Policy\",\"displayName\":\"fwpolicy\"},\"type\":\"Object\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"fwPolicy\":{\"value\":\"[parameters('fwPolicy')]\"},\"fwPolicyRegion\":{\"value\":\"[parameters('fwPolicyRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"fwPolicy\":{\"type\":\"object\"},\"fwPolicyRegion\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"fwpolicies\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[],\"location\":\"[parameters('fwpolicy').location]\",\"name\":\"[parameters('fwpolicy').firewallPolicyName]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[\"[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"],\"name\":\"[parameters('fwpolicy').ruleGroups.name]\",\"properties\":{\"priority\":\"[parameters('fwpolicy').ruleGroups.properties.priority]\",\"rules\":\"[parameters('fwpolicy').ruleGroups.properties.rules]\"},\"type\":\"ruleGroups\"}],\"tags\":{},\"type\":\"Microsoft.Network/firewallPolicies\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/firewallPolicies\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-MySQL-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\",\"displayName\":\"Effect minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforMySQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforMySQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", - "display_name": "Deploys NSG flow logs and traffic analytics", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Nsg-FlowLogs", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"flowAnalyticsEnabled\":{\"defaultValue\":false,\"metadata\":{\"displayName\":\"Enable Traffic Analytics\"},\"type\":\"Boolean\"},\"logAnalytics\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"storageAccountResourceId\":{\"metadata\":{\"displayName\":\"Storage Account Resource Id\",\"strongType\":\"Microsoft.Storage/storageAccounts\"},\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"flowAnalyticsEnabled\":{\"value\":\"[parameters('flowAnalyticsEnabled')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"networkSecurityGroupName\":{\"value\":\"[field('name')]\"},\"resourceGroupName\":{\"value\":\"[resourceGroup().name]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"storageAccountResourceId\":{\"value\":\"[parameters('storageAccountResourceId')]\"},\"trafficAnalyticsInterval\":{\"value\":\"[parameters('trafficAnalyticsInterval')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"flowAnalyticsEnabled\":{\"type\":\"bool\"},\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"networkSecurityGroupName\":{\"type\":\"String\"},\"resourceGroupName\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"storageAccountResourceId\":{\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"type\":\"int\"}},\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":\"[bool(parameters('flowAnalyticsEnabled'))]\",\"trafficAnalyticsInterval\":\"[parameters('trafficAnalyticsInterval')]\",\"workspaceId\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\"workspaceRegion\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\"workspaceResourceId\":\"[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[parameters('storageAccountResourceId')]\",\"targetResourceId\":\"[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\"},\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"},{\"equals\":\"[parameters('flowAnalyticsEnabled')]\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\"}]},\"resourceGroupName\":\"NetworkWatcherRG\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", - "display_name": "Deploys NSG flow logs and traffic analytics to Log Analytics", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.1.0\"}", - "mode": "Indexed", - "name": "Deploy-Nsg-FlowLogs-to-LA", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"interval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"workspace\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"interval\":{\"value\":\"[parameters('interval')]\"},\"location\":{\"value\":\"[field('location')]\"},\"networkSecurityGroup\":{\"value\":\"[field('id')]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"workspace\":{\"value\":\"[parameters('workspace')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"interval\":{\"type\":\"int\"},\"location\":{\"type\":\"String\"},\"networkSecurityGroup\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"time\":{\"defaultValue\":\"[utcNow()]\",\"type\":\"String\"},\"workspace\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2019-06-01\",\"kind\":\"StorageV2\",\"location\":\"[parameters('location')]\",\"name\":\"[variables('storageAccountName')]\",\"properties\":{},\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"type\":\"Microsoft.Storage/storageAccounts\"}]}},\"resourceGroup\":\"[variables('resourceGroupName')]\",\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2019-10-01\",\"dependsOn\":[\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"],\"name\":\"[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat('NetworkWatcher_', toLower(parameters('location')))]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-11-01\",\"dependsOn\":[\"[concat('NetworkWatcher_', toLower(parameters('location')))]\"],\"location\":\"[parameters('location')]\",\"name\":\"[concat(variables('securityGroupName'), '-Network-flowlog')]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":true,\"trafficAnalyticsInterval\":\"[parameters('interval')]\",\"workspaceResourceId\":\"[parameters('workspace')]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\"targetResourceId\":\"[parameters('networkSecurityGroup')]\"},\"type\":\"flowLogs\"}],\"type\":\"Microsoft.Network/networkWatchers\"}]}},\"resourceGroup\":\"NetworkWatcherRG\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"resourceGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[4]]\",\"securityGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[8]]\",\"storageAccountName\":\"[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\"resourceGroupName\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/networkWatchers/flowlogs\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-PostgreSQL-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\",\"displayName\":\"Effect Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notEquals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "SQL servers deploys a specific min TLS version requirement.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-SQL-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", - "display_name": "Deploy SQL database auditing settings", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-AuditingSettings", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"auditActionsAndGroups\":[\"BATCH_COMPLETED_GROUP\",\"DATABASE_OBJECT_CHANGE_GROUP\",\"SCHEMA_OBJECT_CHANGE_GROUP\",\"BACKUP_RESTORE_GROUP\",\"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\"DATABASE_PRINCIPAL_CHANGE_GROUP\",\"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"USER_CHANGE_PASSWORD_GROUP\",\"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\"DATABASE_PERMISSION_CHANGE_GROUP\",\"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\"FAILED_DATABASE_AUTHENTICATION_GROUP\"],\"isAzureMonitorTargetEnabled\":true,\"state\":\"enabled\"},\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"enabled\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/state\"},{\"equals\":\"true\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\"}]},\"name\":\"default\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", - "display_name": "Deploy SQL Database security Alert Policies configuration with email admin accounts", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-SecurityAlertPolicies", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-06-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"disabledAlerts\":[\"\"],\"emailAccountAdmins\":true,\"emailAddresses\":[\"admin@contoso.com\"],\"retentionDays\":0,\"state\":\"Enabled\",\"storageAccountAccessKey\":\"\",\"storageEndpoint\":null},\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/servers/databases/securityAlertPolicies/state\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", - "display_name": "Deploy SQL Database Transparent Data Encryption ", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-Tde", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2014-04-01\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\"properties\":{\"status\":\"Enabled\"},\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/transparentDataEncryption.status\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", - "display_name": "Deploy SQL Database vulnerability Assessments", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-vulnerabilityAssessments", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"recurringScans\":{\"emailSubscriptionAdmins\":false,\"emails\":[\"[parameters('vulnerabilityAssessmentsEmail')]\"],\"isEnabled\":true},\"storageAccountAccessKey\":\"[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\"storageContainerPath\":\"[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\"},\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('vulnerabilityAssessmentsEmail')]\",\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\"},{\"equals\":true,\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\"],\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "SQL managed instances deploy a specific min TLS version requirement.", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-SqlMi-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2020-02-02-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/managedInstances\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/managedInstances\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Storage-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure STorage\",\"displayName\":\"Effect Azure STorage\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure STorage to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notEquals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('minimumTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimumTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimumTlsVersion\":\"[parameters('minimumTlsVersion')]\",\"supportsHttpsTrafficOnly\":true},\"type\":\"Microsoft.Storage/storageAccounts\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"equals\":\"[parameters('minimumTlsVersion')]\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy deploys virtual network and peer to the hub", - "display_name": "Deploy Virtual Network with peering to the hub", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.1.0\"}", - "mode": "All", - "name": "Deploy-VNET-HubSpoke", - "parameters": "{\"dnsServers\":{\"defaultValue\":[],\"metadata\":{\"description\":\"Default domain servers for the vNET.\",\"displayName\":\"DNSServers\"},\"type\":\"Array\"},\"hubResourceId\":{\"metadata\":{\"description\":\"Resource ID for the HUB vNet\",\"displayName\":\"hubResourceId\"},\"type\":\"String\"},\"vNetCidrRange\":{\"metadata\":{\"description\":\"CIDR Range for the vNet\",\"displayName\":\"vNetCidrRange\"},\"type\":\"String\"},\"vNetLocation\":{\"metadata\":{\"description\":\"Location for the vNet\",\"displayName\":\"vNetLocation\"},\"type\":\"String\"},\"vNetName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet\",\"displayName\":\"vNetName\"},\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Enable gateway transit for the LZ network\",\"displayName\":\"vNetPeerUseRemoteGateway\"},\"type\":\"Boolean\"},\"vNetRgName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet RG\",\"displayName\":\"vNetRgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"ResourceGroupName\":\"[parameters('vNetRgName')]\",\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"dnsServers\":{\"value\":\"[parameters('dnsServers')]\"},\"hubResourceId\":{\"value\":\"[parameters('hubResourceId')]\"},\"vNetCidrRange\":{\"value\":\"[parameters('vNetCidrRange')]\"},\"vNetLocation\":{\"value\":\"[parameters('vNetLocation')]\"},\"vNetName\":{\"value\":\"[parameters('vNetName')]\"},\"vNetPeerUseRemoteGateway\":{\"value\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"vNetRgName\":{\"value\":\"[parameters('vNetRgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"dnsServers\":{\"defaultValue\":[],\"type\":\"Array\"},\"hubResourceId\":{\"type\":\"String\"},\"vNetCidrRange\":{\"type\":\"String\"},\"vNetLocation\":{\"type\":\"String\"},\"vNetName\":{\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"type\":\"bool\"},\"vNetRgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetRgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"}],\"variables\":{}}},\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\"],\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetName')]\",\"properties\":{\"addressSpace\":{\"addressPrefixes\":[\"[parameters('vNetCidrRange')]\"]},\"dhcpOptions\":{\"dnsServers\":\"[parameters('dnsServers')]\"}},\"type\":\"Microsoft.Network/virtualNetworks\"},{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat(parameters('vNetName'), '/peerToHub')]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":false,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[parameters('hubResourceId')]\"},\"useRemoteGateways\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]\",\"properties\":{\"expressionEvaluationOptions\":{\"scope\":\"inner\"},\"mode\":\"Incremental\",\"parameters\":{\"hubName\":{\"value\":\"[split(parameters('hubResourceId'),'/')[8]]\"},\"remoteVirtualNetwork\":{\"value\":\"[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"hubName\":{\"defaultValue\":false,\"type\":\"String\"},\"remoteVirtualNetwork\":{\"defaultValue\":false,\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"name\":\"[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":true,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[[parameters('remoteVirtualNetwork')]\"},\"useRemoteGateways\":false},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"}],\"variables\":{}}},\"resourceGroup\":\"[split(parameters('hubResourceId'),'/')[4]]\",\"subscriptionId\":\"[split(parameters('hubResourceId'),'/')[2]]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('vNetRgName')]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"name\",\"like\":\"[parameters('vNetName')]\"},{\"equals\":\"[parameters('vNetLocation')]\",\"field\":\"location\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('vNetName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/virtualNetworks\"},\"effect\":\"deployIfNotExists\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", - "display_name": "Deploy Windows Domain Join Extension with keyvault configuration", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Guest Configuration\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Windows-DomainJoin", - "parameters": "{\"domainFQDN\":{\"metadata\":{\"displayName\":\"domainFQDN\"},\"type\":\"String\"},\"domainOUPath\":{\"metadata\":{\"displayName\":\"domainOUPath\"},\"type\":\"String\"},\"domainPassword\":{\"metadata\":{\"displayName\":\"domainPassword\"},\"type\":\"String\"},\"domainUsername\":{\"metadata\":{\"displayName\":\"domainUsername\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"keyVaultResourceId\":{\"metadata\":{\"displayName\":\"keyVaultResourceId\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},{\"equals\":\"MicrosoftWindowsServer\",\"field\":\"Microsoft.Compute/imagePublisher\"},{\"equals\":\"WindowsServer\",\"field\":\"Microsoft.Compute/imageOffer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2008-R2-SP1-zhcn\",\"2012-Datacenter\",\"2012-datacenter-gensecond\",\"2012-Datacenter-smalldisk\",\"2012-datacenter-smalldisk-g2\",\"2012-Datacenter-zhcn\",\"2012-datacenter-zhcn-g2\",\"2012-R2-Datacenter\",\"2012-r2-datacenter-gensecond\",\"2012-R2-Datacenter-smalldisk\",\"2012-r2-datacenter-smalldisk-g2\",\"2012-R2-Datacenter-zhcn\",\"2012-r2-datacenter-zhcn-g2\",\"2016-Datacenter\",\"2016-datacenter-gensecond\",\"2016-datacenter-gs\",\"2016-Datacenter-Server-Core\",\"2016-datacenter-server-core-g2\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-datacenter-server-core-smalldisk-g2\",\"2016-Datacenter-smalldisk\",\"2016-datacenter-smalldisk-g2\",\"2016-Datacenter-with-Containers\",\"2016-datacenter-with-containers-g2\",\"2016-Datacenter-with-RDSH\",\"2016-Datacenter-zhcn\",\"2016-datacenter-zhcn-g2\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-datacenter-core-g2\",\"2019-Datacenter-Core-smalldisk\",\"2019-datacenter-core-smalldisk-g2\",\"2019-Datacenter-Core-with-Containers\",\"2019-datacenter-core-with-containers-g2\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-datacenter-core-with-containers-smalldisk-g2\",\"2019-datacenter-gensecond\",\"2019-datacenter-gs\",\"2019-Datacenter-smalldisk\",\"2019-datacenter-smalldisk-g2\",\"2019-Datacenter-with-Containers\",\"2019-datacenter-with-containers-g2\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-datacenter-with-containers-smalldisk-g2\",\"2019-Datacenter-zhcn\",\"2019-datacenter-zhcn-g2\",\"Datacenter-Core-1803-with-Containers-smalldisk\",\"datacenter-core-1803-with-containers-smalldisk-g2\",\"Datacenter-Core-1809-with-Containers-smalldisk\",\"datacenter-core-1809-with-containers-smalldisk-g2\",\"Datacenter-Core-1903-with-Containers-smalldisk\",\"datacenter-core-1903-with-containers-smalldisk-g2\",\"datacenter-core-1909-with-containers-smalldisk\",\"datacenter-core-1909-with-containers-smalldisk-g1\",\"datacenter-core-1909-with-containers-smalldisk-g2\"]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"domainFQDN\":{\"value\":\"[parameters('domainFQDN')]\"},\"domainOUPath\":{\"value\":\"[parameters('domainOUPath')]\"},\"domainPassword\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainPassword')]\"}},\"domainUsername\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainUsername')]\"}},\"keyVaultResourceId\":{\"value\":\"[parameters('keyVaultResourceId')]\"},\"location\":{\"value\":\"[field('location')]\"},\"vmName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"domainFQDN\":{\"type\":\"String\"},\"domainOUPath\":{\"type\":\"String\"},\"domainPassword\":{\"type\":\"securestring\"},\"domainUsername\":{\"type\":\"String\"},\"keyVaultResourceId\":{\"type\":\"String\"},\"location\":{\"type\":\"String\"},\"vmName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2015-06-15\",\"location\":\"[resourceGroup().location]\",\"name\":\"[concat(variables('vmName'),'/joindomain')]\",\"properties\":{\"autoUpgradeMinorVersion\":true,\"protectedSettings\":{\"Password\":\"[parameters('domainPassword')]\"},\"publisher\":\"Microsoft.Compute\",\"settings\":{\"Name\":\"[parameters('domainFQDN')]\",\"OUPath\":\"[parameters('domainOUPath')]\",\"Options\":\"[variables('domainJoinOptions')]\",\"Restart\":\"true\",\"User\":\"[parameters('domainUserName')]\"},\"type\":\"JsonADDomainExtension\",\"typeHandlerVersion\":\"1.3\"},\"type\":\"Microsoft.Compute/virtualMachines/extensions\"}],\"variables\":{\"domainJoinOptions\":3,\"vmName\":\"[parameters('vmName')]\"}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"JsonADDomainExtension\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\"},{\"equals\":\"Microsoft.Compute\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", - "display_name": "Public network access should be disabled for PaaS services", - "management_group_name": "root-id-2", - "name": "Deny-PublicPaaSEndpoints", - "parameters": "{\"ACRPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Container Registires with exposed public endpoints \",\"displayName\":\"Public network access on Azure Container Registry disabled\"},\"type\":\"String\"},\"AFSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure File Sync instances with exposed public endpoints \",\"displayName\":\"Public network access on Azure File Sync disabled\"},\"type\":\"String\"},\"AKSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Kubernetes Service non-private clusters\",\"displayName\":\"Public network access on AKS API should be disabled\"},\"type\":\"String\"},\"BatchPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Azure Batch Instances with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for Azure Batch Instances\"},\"type\":\"String\"},\"CosmosPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies that Cosmos database accounts are created with out public network access is disabled.\",\"displayName\":\"Public network access should be disabled for CosmosDB\"},\"type\":\"String\"},\"KeyVaultPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access should be disabled for KeyVault\"},\"type\":\"String\"},\"MySQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for MySQL Flexible Server\"},\"type\":\"String\"},\"PostgreSQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for PostgreSql Flexible Server\"},\"type\":\"String\"},\"SqlServerPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Sql servers with exposed public endpoints\",\"displayName\":\"Public network access on Azure SQL Database should be disabled\"},\"type\":\"String\"},\"StoragePublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access onStorage accounts should be disabled\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", - "policy_group_names": null, - "reference_id": "CosmosDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", - "policy_group_names": null, - "reference_id": "KeyVaultDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", - "policy_group_names": null, - "reference_id": "SqlServerDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StoragePublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", - "policy_group_names": null, - "reference_id": "StorageDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", - "policy_group_names": null, - "reference_id": "AKSDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", - "policy_group_names": null, - "reference_id": "ACRDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AFSPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "policy_group_names": null, - "reference_id": "AFSDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", - "policy_group_names": null, - "reference_id": "PostgreSQLFlexDenyPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLFlexPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", - "policy_group_names": null, - "reference_id": "MySQLFlexDenyPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", - "policy_group_names": null, - "reference_id": "BatchDenyPublicIP" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", - "display_name": "Deploy Diagnostic Settings to Azure Services", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "name": "Deploy-Diagnostics-LogAnalytics", - "parameters": "{\"ACILogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\"},\"type\":\"String\"},\"ACRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\"},\"type\":\"String\"},\"AKSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\"},\"type\":\"String\"},\"APIMgmtLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for API Management to Log Analytics workspace\"},\"type\":\"String\"},\"APIforFHIRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\"},\"type\":\"String\"},\"AnalysisServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceWebappLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service to Log Analytics workspace\"},\"type\":\"String\"},\"ApplicationGatewayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"AutomationLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Automation to Log Analytics workspace\"},\"type\":\"String\"},\"BatchLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Batch to Log Analytics workspace\"},\"type\":\"String\"},\"CDNEndpointsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\"},\"type\":\"String\"},\"CognitiveServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\"},\"type\":\"String\"},\"CosmosLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\"},\"type\":\"String\"},\"DataExplorerClusterLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\"},\"type\":\"String\"},\"DataFactoryLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeStoreLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\"},\"type\":\"String\"},\"DatabricksLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridSubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\"},\"type\":\"String\"},\"EventHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\"},\"type\":\"String\"},\"EventSystemTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\"},\"type\":\"String\"},\"ExpressRouteLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\"},\"type\":\"String\"},\"FirewallLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\"},\"type\":\"String\"},\"FrontDoorLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\"},\"type\":\"String\"},\"FunctionAppLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\"},\"type\":\"String\"},\"HDInsightLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\"},\"type\":\"String\"},\"IotHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\"},\"type\":\"String\"},\"KeyVaultLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\"},\"type\":\"String\"},\"LoadBalancerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsISELogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsWFLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\"},\"type\":\"String\"},\"MariaDBLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\"},\"type\":\"String\"},\"MediaServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\"},\"type\":\"String\"},\"MlWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\"},\"type\":\"String\"},\"MySQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkNICLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkPublicIPNicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkSecurityGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\"},\"type\":\"String\"},\"PostgreSQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\"},\"type\":\"String\"},\"PowerBIEmbeddedLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\"},\"type\":\"String\"},\"RedisCacheLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\"},\"type\":\"String\"},\"RelayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Relay to Log Analytics workspace\"},\"type\":\"String\"},\"SQLDBsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\"},\"type\":\"String\"},\"SQLElasticPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\"},\"type\":\"String\"},\"SQLMLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\"},\"type\":\"String\"},\"SearchServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\"},\"type\":\"String\"},\"ServiceBusLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\"},\"type\":\"String\"},\"SignalRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\"},\"type\":\"String\"},\"StorageAccountsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\"},\"type\":\"String\"},\"StreamAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"TimeSeriesInsightsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\"},\"type\":\"String\"},\"TrafficManagerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\"},\"type\":\"String\"},\"VMSSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\"},\"type\":\"String\"},\"VNetGWLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualMachinesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualNetworkLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\"},\"type\":\"String\"},\"WVDAppGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace\"},\"type\":\"String\"},\"WVDHostPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace\"},\"type\":\"String\"},\"WVDWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageAccountsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", - "policy_group_names": null, - "reference_id": "StorageAccountDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDAppGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", - "policy_group_names": null, - "reference_id": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", - "policy_group_names": null, - "reference_id": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDHostPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", - "policy_group_names": null, - "reference_id": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACILogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", - "policy_group_names": null, - "reference_id": "ACIDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", - "policy_group_names": null, - "reference_id": "ACRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('AKSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", - "policy_group_names": null, - "reference_id": "AKSDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AnalysisServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", - "policy_group_names": null, - "reference_id": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIforFHIRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", - "policy_group_names": null, - "reference_id": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIMgmtLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", - "policy_group_names": null, - "reference_id": "APIMgmtDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ApplicationGatewayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", - "policy_group_names": null, - "reference_id": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AutomationLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", - "policy_group_names": null, - "reference_id": "AutomationDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", - "policy_group_names": null, - "reference_id": "BatchDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CDNEndpointsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", - "policy_group_names": null, - "reference_id": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", - "policy_group_names": null, - "reference_id": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", - "policy_group_names": null, - "reference_id": "CosmosDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DatabricksLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", - "policy_group_names": null, - "reference_id": "DatabricksDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataExplorerClusterLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", - "policy_group_names": null, - "reference_id": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataFactoryLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", - "policy_group_names": null, - "reference_id": "DataFactoryDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeStoreLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", - "policy_group_names": null, - "reference_id": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", - "policy_group_names": null, - "reference_id": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridSubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", - "policy_group_names": null, - "reference_id": "EventGridSubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", - "policy_group_names": null, - "reference_id": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", - "policy_group_names": null, - "reference_id": "EventHubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventSystemTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", - "policy_group_names": null, - "reference_id": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ExpressRouteLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", - "policy_group_names": null, - "reference_id": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FirewallLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", - "policy_group_names": null, - "reference_id": "FirewallDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FrontDoorLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", - "policy_group_names": null, - "reference_id": "FrontDoorDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionAppLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", - "policy_group_names": null, - "reference_id": "FunctionAppDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('HDInsightLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", - "policy_group_names": null, - "reference_id": "HDInsightDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('IotHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", - "policy_group_names": null, - "reference_id": "IotHubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", - "policy_group_names": null, - "reference_id": "KeyVaultDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LoadBalancerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", - "policy_group_names": null, - "reference_id": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsISELogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", - "policy_group_names": null, - "reference_id": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsWFLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", - "policy_group_names": null, - "reference_id": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MariaDBLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", - "policy_group_names": null, - "reference_id": "MariaDBDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MediaServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", - "policy_group_names": null, - "reference_id": "MediaServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MlWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", - "policy_group_names": null, - "reference_id": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", - "policy_group_names": null, - "reference_id": "MySQLDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", - "policy_group_names": null, - "reference_id": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkNICLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", - "policy_group_names": null, - "reference_id": "NetworkNICDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", - "policy_group_names": null, - "reference_id": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", - "policy_group_names": null, - "reference_id": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"True\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", - "policy_group_names": null, - "reference_id": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", - "policy_group_names": null, - "reference_id": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisCacheLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", - "policy_group_names": null, - "reference_id": "RedisCacheDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RelayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", - "policy_group_names": null, - "reference_id": "RelayDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SearchServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", - "policy_group_names": null, - "reference_id": "SearchServicesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ServiceBusLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", - "policy_group_names": null, - "reference_id": "ServiceBusDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SignalRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", - "policy_group_names": null, - "reference_id": "SignalRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('SQLDBsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", - "policy_group_names": null, - "reference_id": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", - "policy_group_names": null, - "reference_id": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLMLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", - "policy_group_names": null, - "reference_id": "SQLMDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", - "policy_group_names": null, - "reference_id": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", - "policy_group_names": null, - "reference_id": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('TrafficManagerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", - "policy_group_names": null, - "reference_id": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualNetworkLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", - "policy_group_names": null, - "reference_id": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualMachinesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", - "policy_group_names": null, - "reference_id": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VMSSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", - "policy_group_names": null, - "reference_id": "VMSSDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VNetGWLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", - "policy_group_names": null, - "reference_id": "VNetGWDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", - "policy_group_names": null, - "reference_id": "AppServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceWebappLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", - "policy_group_names": null, - "reference_id": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Microsoft Defender for Cloud configuration", - "display_name": "Deploy Microsoft Defender for Cloud configuration", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Security Center\",\"version\":\"3.0.0\"}", - "name": "Deploy-MDFC-Config", - "parameters": "{\"ascExportResourceGroupLocation\":{\"metadata\":{\"description\":\"The location where the resource group and the export to Log Analytics workspace configuration are created.\",\"displayName\":\"Resource Group location for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"ascExportResourceGroupName\":{\"metadata\":{\"description\":\"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\",\"displayName\":\"Resource Group name for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Microsoft Defender for Cloud contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"},\"enableAscForAppServices\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForArm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForContainers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForDns\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForKeyVault\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForOssDb\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForServers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSql\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSqlOnVm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForStorage\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Primary Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForOssDb')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", - "policy_group_names": null, - "reference_id": "defenderForOssDb" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForServers')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", - "policy_group_names": null, - "reference_id": "defenderForVM" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSqlOnVm')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", - "policy_group_names": null, - "reference_id": "defenderForSqlServerVirtualMachines" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForAppServices')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", - "policy_group_names": null, - "reference_id": "defenderForAppServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForStorage')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", - "policy_group_names": null, - "reference_id": "defenderForStorageAccounts" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForContainers')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", - "policy_group_names": null, - "reference_id": "defenderforContainers" - }, - { - "parameter_values": "{\"Effect\":{\"value\":\"[parameters('enableAscForKeyVault')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", - "policy_group_names": null, - "reference_id": "defenderForKeyVaults" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForDns')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", - "policy_group_names": null, - "reference_id": "defenderForDns" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForArm')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", - "policy_group_names": null, - "reference_id": "defenderForArm" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSql')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", - "policy_group_names": null, - "reference_id": "defenderForSqlPaas" - }, - { - "parameter_values": "{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "policy_group_names": null, - "reference_id": "securityEmailContact" - }, - { - "parameter_values": "{\"resourceGroupLocation\":{\"value\":\"[parameters('ascExportResourceGroupLocation')]\"},\"resourceGroupName\":{\"value\":\"[parameters('ascExportResourceGroupName')]\"},\"workspaceResourceId\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", - "policy_group_names": null, - "reference_id": "ascExport" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", - "display_name": "Configure Azure PaaS services to use private DNS zones", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "name": "Deploy-Private-DNS-Zones", - "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAcrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAsrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAsrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureBatchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureBatchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveSearchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureDiskAccessPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureDiskAccessPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridDomainsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridTopicsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventHubNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureFilePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureFilePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotHubsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotHubsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureKeyVaultPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureKeyVaultPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureMachineLearningWorkspacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureRedisCachePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureRedisCachePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureServiceBusNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureSignalRPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureSignalRPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureWebPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureWebPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"effect1\":{\"allowedValues\":[\"deployIfNotExists\",\"Disabled\"],\"defaultValue\":\"deployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureFileprivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-File-Sync" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureWebPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Web" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureBatchPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Batch" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-App" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAsrPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Site-Recovery" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-IoT" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureKeyVaultPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-KeyVault" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureSignalRPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-SignalR" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppServicesPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-AppServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventGridTopics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureDiskAccessPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-DiskAccess" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-CognitiveServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotHubsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-IoTHubs" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventGridDomains" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureRedisCachePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-RedisCache" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAcrPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-ACR" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventHubNamespace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-MachineLearningWorkspace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-ServiceBusNamespace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-CognitiveSearch" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", - "display_name": "Deploy SQL Database built-in SQL security configuration", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "name": "Deploy-Sql-Security", - "parameters": "{\"SqlDbAuditingSettingsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy auditing settings to SQL Database when it not exist in the deployment\",\"displayName\":\"Deploy SQL database auditing settings\"},\"type\":\"String\"},\"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\"displayName\":\"Deploy SQL Database security Alert Policies configuration with email admin accounts\"},\"type\":\"String\"},\"SqlDbTdeDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\"displayName\":\"Deploy SQL Database Transparent Data Encryption \"},\"type\":\"String\"},\"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\"displayName\":\"Deploy SQL Database vulnerability Assessments\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", - "policy_group_names": null, - "reference_id": "SqlDbTdeDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", - "policy_group_names": null, - "reference_id": "SqlDbSecurityAlertPoliciesDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", - "policy_group_names": null, - "reference_id": "SqlDbAuditingSettingsDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", - "policy_group_names": null, - "reference_id": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", - "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", - "name": "Enforce-EncryptTransit", - "parameters": "{\"AKSIngressHttpsOnlyEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"deny\",\"metadata\":{\"description\":\"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\",\"displayName\":\"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\"},\"type\":\"String\"},\"APIAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"APIAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service API App. Latest TLS version should be used in your API App\"},\"type\":\"String\"},\"AppServiceHttpEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\"},\"type\":\"String\"},\"AppServiceTlsVersionEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\"},\"type\":\"String\"},\"AppServiceminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"App Service. Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"App Service. Select version minimum TLS Web App config\"},\"type\":\"String\"},\"FunctionLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Function App. Latest TLS version should be used in your Function App\"},\"type\":\"String\"},\"FunctionServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"MySQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"MySQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\"},\"type\":\"String\"},\"MySQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"MySQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\"},\"type\":\"String\"},\"PostgreSQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"PostgreSQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"RedisMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Azure Cache for Redis to enforce\",\"displayName\":\"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSDeployEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\"displayName\":\"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\"},\"type\":\"String\"},\"SQLManagedInstanceMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure Managed Instanceto to enforce\",\"displayName\":\"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\"},\"type\":\"String\"},\"SQLManagedInstanceTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLManagedInstanceTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"SQL Managed Instance should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLServerTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"Azure SQL Database should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure SQL Database to enforce\",\"displayName\":\"Azure SQL Database.Select version minimum TLS for Azure SQL Database\"},\"type\":\"String\"},\"StorageDeployHttpsEnabledEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageHttpsEnabledEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageminimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"},\"WebAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"WebAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Web App. Latest TLS version should be used in your Web App\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceHttpEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "policy_group_names": null, - "reference_id": "AppServiceHttpEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceTlsVersionEffect')]\"},\"minTlsVersion\":{\"value\":\"[parameters('AppServiceminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "policy_group_names": null, - "reference_id": "AppServiceminTlsVersion" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", - "policy_group_names": null, - "reference_id": "APIAppServiceLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", - "policy_group_names": null, - "reference_id": "FunctionLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", - "policy_group_names": null, - "reference_id": "WebAppServiceLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "policy_group_names": null, - "reference_id": "APIAppServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "policy_group_names": null, - "reference_id": "FunctionServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "policy_group_names": null, - "reference_id": "WebAppServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSIngressHttpsOnlyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "policy_group_names": null, - "reference_id": "AKSIngressHttpsOnlyEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "policy_group_names": null, - "reference_id": "MySQLEnableSSLDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "policy_group_names": null, - "reference_id": "MySQLEnableSSLEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "policy_group_names": null, - "reference_id": "PostgreSQLEnableSSLDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "policy_group_names": null, - "reference_id": "PostgreSQLEnableSSLEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "policy_group_names": null, - "reference_id": "RedisTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "policy_group_names": null, - "reference_id": "RedisdisableNonSslPort" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "policy_group_names": null, - "reference_id": "RedisDenyhttps" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "policy_group_names": null, - "reference_id": "SQLManagedInstanceTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "policy_group_names": null, - "reference_id": "SQLManagedInstanceTLSEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "policy_group_names": null, - "reference_id": "SQLServerTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "policy_group_names": null, - "reference_id": "SQLServerTLSEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "policy_group_names": null, - "reference_id": "StorageHttpsEnabledEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageDeployHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "policy_group_names": null, - "reference_id": "StorageDeployHttpsEnabledEffect" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "display_name": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "management_group_name": "root-id-2", - "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", - "name": "Enforce-Encryption-CMK", - "parameters": "{\"ACRCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\"displayName\":\"Container registries should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"},\"AksCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\",\"displayName\":\"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\"},\"type\":\"String\"},\"AzureBatchCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\",\"displayName\":\"Azure Batch account should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"CognitiveServicesCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\"},\"type\":\"String\"},\"CosmosCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"DataBoxCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\",\"displayName\":\"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\"},\"type\":\"String\"},\"EncryptedVMDisksEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\",\"displayName\":\"Disk encryption should be applied on virtual machines\"},\"type\":\"String\"},\"HealthcareAPIsCMKEffect\":{\"allowedValues\":[\"audit\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\",\"displayName\":\"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\"},\"type\":\"String\"},\"MySQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure MySQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"PostgreSQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure PostgreSQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"SqlServerTDECMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\"displayName\":\"SQL servers should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"StorageCMKEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\"displayName\":\"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\"},\"type\":\"String\"},\"StreamAnalyticsCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\",\"displayName\":\"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"SynapseWorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\",\"displayName\":\"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"WorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\"displayName\":\"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRCmkEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", - "policy_group_names": null, - "reference_id": "ACRCmkDeny" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AksCmkEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", - "policy_group_names": null, - "reference_id": "AksCmkDeny" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WorkspaceCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", - "policy_group_names": null, - "reference_id": "WorkspaceCMK" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "policy_group_names": null, - "reference_id": "CognitiveServicesCMK" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", - "policy_group_names": null, - "reference_id": "CosmosCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataBoxCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", - "policy_group_names": null, - "reference_id": "DataBoxCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", - "policy_group_names": null, - "reference_id": "StreamAnalyticsCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SynapseWorkspaceCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", - "policy_group_names": null, - "reference_id": "SynapseWorkspaceCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", - "policy_group_names": null, - "reference_id": "StorageCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", - "policy_group_names": null, - "reference_id": "MySQLCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", - "policy_group_names": null, - "reference_id": "PostgreSQLCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerTDECMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", - "policy_group_names": null, - "reference_id": "SqlServerTDECMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('HealthcareAPIsCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", - "policy_group_names": null, - "reference_id": "HealthcareAPIsCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AzureBatchCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", - "policy_group_names": null, - "reference_id": "AzureBatchCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EncryptedVMDisksEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", - "policy_group_names": null, - "reference_id": "EncryptedVMDisksEffect" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-connectivity/providers/Microsoft.Authorization/roleAssignments/d189d3f3-6d6b-527e-9d7f-570507d2b20c\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-connectivity/providers/Microsoft.Authorization/roleAssignments/d189d3f3-6d6b-527e-9d7f-570507d2b20c", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d189d3f3-6d6b-527e-9d7f-570507d2b20c", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-connectivity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/b558d8b8-b0f9-514b-96e4-7f424c822792\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/b558d8b8-b0f9-514b-96e4-7f424c822792", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "b558d8b8-b0f9-514b-96e4-7f424c822792", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/ed83e891-ec89-582f-8bc1-1246b062f288\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/ed83e891-ec89-582f-8bc1-1246b062f288", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "ed83e891-ec89-582f-8bc1-1246b062f288", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/f2bca938-939d-5d06-9ffc-0673b9cc0cf3\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/f2bca938-939d-5d06-9ffc-0673b9cc0cf3", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "f2bca938-939d-5d06-9ffc-0673b9cc0cf3", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/08c989a2-a687-5383-8853-df895aaf0cf8\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/08c989a2-a687-5383-8853-df895aaf0cf8", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "08c989a2-a687-5383-8853-df895aaf0cf8", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/b52d052b-5586-55dc-99a8-4765e6133797\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/b52d052b-5586-55dc-99a8-4765e6133797", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "b52d052b-5586-55dc-99a8-4765e6133797", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/d566df36-2dae-5a0a-a6af-6b500cc19f83\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/d566df36-2dae-5a0a-a6af-6b500cc19f83", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d566df36-2dae-5a0a-a6af-6b500cc19f83", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/roleAssignments/825d48cd-533f-57a4-a1ae-26c45a829ae1\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/roleAssignments/825d48cd-533f-57a4-a1ae-26c45a829ae1", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "825d48cd-533f-57a4-a1ae-26c45a829ae1", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/roleAssignments/c734eb7c-72ef-5b04-859f-ab456cbe6718\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/roleAssignments/c734eb7c-72ef-5b04-859f-ab456cbe6718", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "c734eb7c-72ef-5b04-859f-ab456cbe6718", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-identity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/1c22bd8b-ff62-53e3-ac20-b17288b27769\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/1c22bd8b-ff62-53e3-ac20-b17288b27769", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "1c22bd8b-ff62-53e3-ac20-b17288b27769", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/709d87f0-a79a-5894-83ac-e008c762d385\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/709d87f0-a79a-5894-83ac-e008c762d385", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "709d87f0-a79a-5894-83ac-e008c762d385", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/7c0a4ad6-99e7-5a06-84cb-7dc3f3f2194a\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/7c0a4ad6-99e7-5a06-84cb-7dc3f3f2194a", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "7c0a4ad6-99e7-5a06-84cb-7dc3f3f2194a", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/b0d06e13-d382-55cf-b677-5069319add24\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/b0d06e13-d382-55cf-b677-5069319add24", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "b0d06e13-d382-55cf-b677-5069319add24", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/ebd51492-dfb8-5a67-90db-1f38a4ef733d\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/ebd51492-dfb8-5a67-90db-1f38a4ef733d", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "ebd51492-dfb8-5a67-90db-1f38a4ef733d", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/f52eb144-7254-5bcf-8e33-8dfbb7e62d02\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/f52eb144-7254-5bcf-8e33-8dfbb7e62d02", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "f52eb144-7254-5bcf-8e33-8dfbb7e62d02", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/fec515d0-9459-5b30-9c74-dc777519709e\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/fec515d0-9459-5b30-9c74-dc777519709e", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "fec515d0-9459-5b30-9c74-dc777519709e", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2-management/providers/Microsoft.Authorization/roleAssignments/6b58519d-8e69-5306-babc-951055a5142d\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2-management/providers/Microsoft.Authorization/roleAssignments/6b58519d-8e69-5306-babc-951055a5142d", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "6b58519d-8e69-5306-babc-951055a5142d", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2-management", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/14ada2f5-4c53-51db-851b-d9a6ec4ec1af\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/14ada2f5-4c53-51db-851b-d9a6ec4ec1af", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "14ada2f5-4c53-51db-851b-d9a6ec4ec1af", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/1507af67-dccd-5f03-9e3e-22de8cc8d9c6\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/1507af67-dccd-5f03-9e3e-22de8cc8d9c6", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "1507af67-dccd-5f03-9e3e-22de8cc8d9c6", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/1f817184-222e-52e6-b1ce-c767e40c9e47\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/1f817184-222e-52e6-b1ce-c767e40c9e47", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "1f817184-222e-52e6-b1ce-c767e40c9e47", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/222e185c-14da-56d6-98ba-40beda284a70\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/222e185c-14da-56d6-98ba-40beda284a70", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "222e185c-14da-56d6-98ba-40beda284a70", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/33f69b32-5b45-5b7b-a180-bcdfa870c394\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/33f69b32-5b45-5b7b-a180-bcdfa870c394", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "33f69b32-5b45-5b7b-a180-bcdfa870c394", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/409f8346-a824-5156-b815-ea5c6b073b05\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/409f8346-a824-5156-b815-ea5c6b073b05", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "409f8346-a824-5156-b815-ea5c6b073b05", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/73ea886d-d735-57db-ab2a-591d0cb9e28c\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/73ea886d-d735-57db-ab2a-591d0cb9e28c", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "73ea886d-d735-57db-ab2a-591d0cb9e28c", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/78776431-71d1-5e97-8bba-6c486c9d5743\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/78776431-71d1-5e97-8bba-6c486c9d5743", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "78776431-71d1-5e97-8bba-6c486c9d5743", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/ccb312fc-0999-5d7d-8022-1091fc09787a\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/ccb312fc-0999-5d7d-8022-1091fc09787a", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "ccb312fc-0999-5d7d-8022-1091fc09787a", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/d226deb6-ceed-514a-a42e-b8e045c9483f\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/d226deb6-ceed-514a-a42e-b8e045c9483f", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d226deb6-ceed-514a-a42e-b8e045c9483f", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/ee4352b1-3a8d-5d13-aeba-9852845ea207\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/ee4352b1-3a8d-5d13-aeba-9852845ea207", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "ee4352b1-3a8d-5d13-aeba-9852845ea207", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_2.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/f6172e74-c3d1-5da3-a56a-e49b56f2ba95\"]", - "mode": "managed", - "type": "azurerm_role_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Authorization/roleDefinitions/f6172e74-c3d1-5da3-a56a-e49b56f2ba95", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 1, - "values": { - "assignable_scopes": [ - "/providers/Microsoft.Management/managementGroups/root-id-2" - ], - "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.", - "name": "[ROOT-ID-2] Network-Subnet-Contributor", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Network/*/read", - "Microsoft.Network/virtualNetworks/subnets/*" - ], - "data_actions": null, - "not_actions": [], - "not_data_actions": null - } - ], - "role_definition_id": "f6172e74-c3d1-5da3-a56a-e49b56f2ba95", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-2", - "timeouts": null - }, - "sensitive_values": { - "assignable_scopes": [ - false - ], - "permissions": [ - { - "actions": [ - false, - false, - false, - false, - false, - false, - false, - false - ], - "not_actions": [] - } - ] - } - }, - { - "address": "module.test_root_id_2.time_sleep.after_azurerm_management_group", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_management_group", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "120s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-2\"]", - "azurerm_management_group_level_2": "[\"/providers/Microsoft.Management/managementGroups/root-id-2-decommissioned\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones\",\"/providers/Microsoft.Management/managementGroups/root-id-2-platform\",\"/providers/Microsoft.Management/managementGroups/root-id-2-sandboxes\"]", - "azurerm_management_group_level_3": "[\"/providers/Microsoft.Management/managementGroups/root-id-2-connectivity\",\"/providers/Microsoft.Management/managementGroups/root-id-2-corp\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-online\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-sap\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity\",\"/providers/Microsoft.Management/managementGroups/root-id-2-management\",\"/providers/Microsoft.Management/managementGroups/root-id-2-online\",\"/providers/Microsoft.Management/managementGroups/root-id-2-sap\"]", - "azurerm_management_group_level_4": "[]", - "azurerm_management_group_level_5": "[]", - "azurerm_management_group_level_6": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_2.time_sleep.after_azurerm_policy_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-2-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\",\"/providers/Microsoft.Management/managementGroups/root-id-2-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_2.time_sleep.after_azurerm_policy_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_2.time_sleep.after_azurerm_policy_set_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_set_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_set_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_2.time_sleep.after_azurerm_role_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_assignment_enterprise_scale": "[]", - "azurerm_policy_assignment_policy_assignment": "[\"/providers/Microsoft.Management/managementGroups/root-id-2-connectivity/providers/Microsoft.Authorization/roleAssignments/d189d3f3-6d6b-527e-9d7f-570507d2b20c\",\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/b558d8b8-b0f9-514b-96e4-7f424c822792\",\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/ed83e891-ec89-582f-8bc1-1246b062f288\",\"/providers/Microsoft.Management/managementGroups/root-id-2-corp/providers/Microsoft.Authorization/roleAssignments/f2bca938-939d-5d06-9ffc-0673b9cc0cf3\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/08c989a2-a687-5383-8853-df895aaf0cf8\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/b52d052b-5586-55dc-99a8-4765e6133797\",\"/providers/Microsoft.Management/managementGroups/root-id-2-demo-corp/providers/Microsoft.Authorization/roleAssignments/d566df36-2dae-5a0a-a6af-6b500cc19f83\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/roleAssignments/825d48cd-533f-57a4-a1ae-26c45a829ae1\",\"/providers/Microsoft.Management/managementGroups/root-id-2-identity/providers/Microsoft.Authorization/roleAssignments/c734eb7c-72ef-5b04-859f-ab456cbe6718\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/1c22bd8b-ff62-53e3-ac20-b17288b27769\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/709d87f0-a79a-5894-83ac-e008c762d385\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/7c0a4ad6-99e7-5a06-84cb-7dc3f3f2194a\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/b0d06e13-d382-55cf-b677-5069319add24\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/ebd51492-dfb8-5a67-90db-1f38a4ef733d\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/f52eb144-7254-5bcf-8e33-8dfbb7e62d02\",\"/providers/Microsoft.Management/managementGroups/root-id-2-landing-zones/providers/Microsoft.Authorization/roleAssignments/fec515d0-9459-5b30-9c74-dc777519709e\",\"/providers/Microsoft.Management/managementGroups/root-id-2-management/providers/Microsoft.Authorization/roleAssignments/6b58519d-8e69-5306-babc-951055a5142d\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/14ada2f5-4c53-51db-851b-d9a6ec4ec1af\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/1507af67-dccd-5f03-9e3e-22de8cc8d9c6\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/1f817184-222e-52e6-b1ce-c767e40c9e47\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/222e185c-14da-56d6-98ba-40beda284a70\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/33f69b32-5b45-5b7b-a180-bcdfa870c394\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/409f8346-a824-5156-b815-ea5c6b073b05\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/73ea886d-d735-57db-ab2a-591d0cb9e28c\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/78776431-71d1-5e97-8bba-6c486c9d5743\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/ccb312fc-0999-5d7d-8022-1091fc09787a\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/d226deb6-ceed-514a-a42e-b8e045c9483f\",\"/providers/Microsoft.Management/managementGroups/root-id-2/providers/Microsoft.Authorization/roleAssignments/ee4352b1-3a8d-5d13-aeba-9852845ea207\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_2.time_sleep.after_azurerm_role_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_role_definition_enterprise_scale": "[\"/providers/Microsoft.Authorization/roleDefinitions/f6172e74-c3d1-5da3-a56a-e49b56f2ba95\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - } - ], - "address": "module.test_root_id_2" - }, - { - "resources": [ - { - "address": "module.test_root_id_3.azurerm_automation_account.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.Automation/automationAccounts/root-id-3-automation\"]", - "mode": "managed", - "type": "azurerm_automation_account", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.Automation/automationAccounts/root-id-3-automation", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "name": "root-id-3-automation", - "resource_group_name": "root-id-3-mgmt", - "sku_name": "Basic", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_firewall.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/azureFirewalls/root-id-3-fw-eastus\"]", - "mode": "managed", - "type": "azurerm_firewall", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/azureFirewalls/root-id-3-fw-eastus", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "dns_servers": null, - "firewall_policy_id": null, - "ip_configuration": [ - { - "name": "root-id-3-fw-eastus-pip", - "public_ip_address_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-fw-eastus-pip", - "subnet_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/AzureFirewallSubnet" - } - ], - "location": "eastus", - "management_ip_configuration": [], - "name": "root-id-3-fw-eastus", - "private_ip_ranges": null, - "resource_group_name": "root-id-3-connectivity-eastus", - "sku_name": "AZFW_VNet", - "sku_tier": "Standard", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "threat_intel_mode": "Alert", - "timeouts": null, - "virtual_hub": [], - "zones": [ - "1", - "2", - "3" - ] - }, - "sensitive_values": { - "ip_configuration": [ - {} - ], - "management_ip_configuration": [], - "tags": {}, - "virtual_hub": [], - "zones": [ - false, - false, - false - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_linked_service.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la/linkedServices/Automation\"]", - "mode": "managed", - "type": "azurerm_log_analytics_linked_service", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la/linkedServices/Automation", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "read_access_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.Automation/automationAccounts/root-id-3-automation", - "resource_group_name": "root-id-3-mgmt", - "tags": null, - "timeouts": null, - "workspace_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la", - "write_access_id": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_solution.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/AgentHealthAssessment(root-id-3-la)\"]", - "mode": "managed", - "type": "azurerm_log_analytics_solution", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/AgentHealthAssessment(root-id-3-la)", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "plan": [ - { - "product": "OMSGallery/AgentHealthAssessment", - "promotion_code": null, - "publisher": "Microsoft" - } - ], - "resource_group_name": "root-id-3-mgmt", - "solution_name": "AgentHealthAssessment", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null, - "workspace_name": "root-id-3-la", - "workspace_resource_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la" - }, - "sensitive_values": { - "plan": [ - {} - ], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_solution.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/AzureActivity(root-id-3-la)\"]", - "mode": "managed", - "type": "azurerm_log_analytics_solution", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/AzureActivity(root-id-3-la)", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "plan": [ - { - "product": "OMSGallery/AzureActivity", - "promotion_code": null, - "publisher": "Microsoft" - } - ], - "resource_group_name": "root-id-3-mgmt", - "solution_name": "AzureActivity", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null, - "workspace_name": "root-id-3-la", - "workspace_resource_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la" - }, - "sensitive_values": { - "plan": [ - {} - ], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_solution.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/ChangeTracking(root-id-3-la)\"]", - "mode": "managed", - "type": "azurerm_log_analytics_solution", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/ChangeTracking(root-id-3-la)", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "plan": [ - { - "product": "OMSGallery/ChangeTracking", - "promotion_code": null, - "publisher": "Microsoft" - } - ], - "resource_group_name": "root-id-3-mgmt", - "solution_name": "ChangeTracking", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null, - "workspace_name": "root-id-3-la", - "workspace_resource_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la" - }, - "sensitive_values": { - "plan": [ - {} - ], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_solution.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/ServiceMap(root-id-3-la)\"]", - "mode": "managed", - "type": "azurerm_log_analytics_solution", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/ServiceMap(root-id-3-la)", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "plan": [ - { - "product": "OMSGallery/ServiceMap", - "promotion_code": null, - "publisher": "Microsoft" - } - ], - "resource_group_name": "root-id-3-mgmt", - "solution_name": "ServiceMap", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null, - "workspace_name": "root-id-3-la", - "workspace_resource_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la" - }, - "sensitive_values": { - "plan": [ - {} - ], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_solution.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/Updates(root-id-3-la)\"]", - "mode": "managed", - "type": "azurerm_log_analytics_solution", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/Updates(root-id-3-la)", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "plan": [ - { - "product": "OMSGallery/Updates", - "promotion_code": null, - "publisher": "Microsoft" - } - ], - "resource_group_name": "root-id-3-mgmt", - "solution_name": "Updates", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null, - "workspace_name": "root-id-3-la", - "workspace_resource_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la" - }, - "sensitive_values": { - "plan": [ - {} - ], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_solution.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/VMInsights(root-id-3-la)\"]", - "mode": "managed", - "type": "azurerm_log_analytics_solution", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationsManagement/solutions/VMInsights(root-id-3-la)", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "plan": [ - { - "product": "OMSGallery/VMInsights", - "promotion_code": null, - "publisher": "Microsoft" - } - ], - "resource_group_name": "root-id-3-mgmt", - "solution_name": "VMInsights", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null, - "workspace_name": "root-id-3-la", - "workspace_resource_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la" - }, - "sensitive_values": { - "plan": [ - {} - ], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_log_analytics_workspace.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"]", - "mode": "managed", - "type": "azurerm_log_analytics_workspace", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 2, - "values": { - "daily_quota_gb": -1, - "internet_ingestion_enabled": true, - "internet_query_enabled": true, - "location": "eastus", - "name": "root-id-3-la", - "reservation_capcity_in_gb_per_day": null, - "resource_group_name": "root-id-3-mgmt", - "retention_in_days": 60, - "sku": "PerGB2018", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-3\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_1", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "root-name-3", - "name": "root-id-3", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/dac8feee-8768-4fbd-9cf9-9d96d4718018", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-3-decommissioned\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-decommissioned", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Decommissioned", - "name": "root-id-3-decommissioned", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Landing Zones", - "name": "root-id-3-landing-zones", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-3-platform\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-platform", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Platform", - "name": "root-id-3-platform", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-3-sandboxes\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_2", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-sandboxes", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Sandboxes", - "name": "root-id-3-sandboxes", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-connectivity\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-connectivity", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Connectivity", - "name": "root-id-3-connectivity", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-corp\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-corp", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Corp", - "name": "root-id-3-corp", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Identity", - "name": "root-id-3-identity", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-platform", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-management\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-management", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Management", - "name": "root-id-3-management", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-platform", - "subscription_ids": [ - "2a8527ca-5340-49aa-8931-ea03669451a0" - ], - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [ - false - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-online\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-online", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Online", - "name": "root-id-3-online", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-sap\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-sap", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "SAP", - "name": "root-id-3-sap", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_3", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Secure Workloads (HITRUST/HIPAA)", - "name": "root-id-3-secure", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-emea\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_4", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-emea", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "EMEA Web Applications", - "name": "root-id-3-web-emea", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-online", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-global\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_4", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-global", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Global Web Applications", - "name": "root-id-3-web-global", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-online", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-us\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_4", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-us", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "US Web Applications", - "name": "root-id-3-web-us", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-online", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-connectivity", - "name": "Enable-DDoS-VNET", - "not_scopes": [], - "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-3-ddos-eastus\"},\"effect\":{\"value\":\"Modify\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", - "display_name": "Public network access should be disabled for PaaS services", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-corp", - "name": "Deny-Public-Endpoints", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", - "display_name": "Configure Azure PaaS services to use private DNS zones", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-corp", - "name": "Deploy-Private-DNS-Zones", - "not_scopes": [], - "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io\"},\"azureAppPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io\"},\"azureAppServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net\"},\"azureAsrPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.siterecovery.windowsazure.com\"},\"azureBatchPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.batch.azure.com\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com\"},\"azureDiskAccessPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureFilePrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net\"},\"azureIoTPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net\"},\"azureIotHubsPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net\"},\"azureKeyVaultPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms\"},\"azureRedisCachePrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureSignalRPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net\"},\"azureWebPrivateDnsZoneId\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies creation of Public IPs under the assigned scope.", - "display_name": "Deny the creation of public IP", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "name": "Deny-Public-IP", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet.", - "display_name": "RDP access from the Internet should be blocked", - "enforce": false, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "name": "Deny-RDP-From-Internet", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", - "display_name": "Subnets should have a Network Security Group", - "enforce": false, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "name": "Deny-Subnet-Without-Nsg", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"Deny\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", - "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "name": "Deploy-VM-Backup", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deployIfNotExists\"},\"exclusionTagName\":{\"value\":\"\"},\"exclusionTagValue\":{\"value\":[]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", - "display_name": "Network interfaces should disable IP forwarding", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deny-IP-Forwarding", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes cluster should not allow privileged containers", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deny-Priv-Containers-AKS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes clusters should not allow container privilege escalation", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deny-Priv-Escalation-AKS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet.", - "display_name": "RDP access from the Internet should be blocked", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deny-RDP-From-Internet", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", - "display_name": "Secure transfer to storage accounts should be enabled", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deny-Storage-http", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", - "display_name": "Subnets should have a Network Security Group", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deny-Subnet-Without-Nsg", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "display_name": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deploy-AKS-Policy", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", - "display_name": "Auditing on SQL server should be enabled", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deploy-SQL-DB-Auditing", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", - "display_name": "Deploy Threat Detection on SQL servers", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deploy-SQL-Threat", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", - "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Deploy-VM-Backup", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Enable-DDoS-VNET", - "not_scopes": [], - "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-3-ddos-eastus\"},\"effect\":{\"value\":\"Modify\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", - "display_name": "Kubernetes clusters should be accessible only over HTTPS", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Enforce-AKS-HTTPS", - "not_scopes": [], - "parameters": "{\"effect\":{\"value\":\"deny\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", - "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "name": "Enforce-TLS-SSL", - "not_scopes": [], - "parameters": null, - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy-Log-Analytics.", - "display_name": "Deploy-Log-Analytics", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-management", - "name": "Deploy-Log-Analytics", - "not_scopes": [], - "parameters": "{\"automationAccountName\":{\"value\":\"root-id-3-automation\"},\"automationRegion\":{\"value\":\"eastus\"},\"dataRetention\":{\"value\":\"60\"},\"effect\":{\"value\":\"DeployIfNotExists\"},\"rgName\":{\"value\":\"root-id-3-mgmt\"},\"sku\":{\"value\":\"pergb2018\"},\"workspaceName\":{\"value\":\"root-id-3-la\"},\"workspaceRegion\":{\"value\":\"eastus\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", - "display_name": "Limit allowed locations for Resource Groups", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "name": "Deny-RSG-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "display_name": "Limit allowed locations for Resources", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "name": "Deny-Resource-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This assignment includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.", - "display_name": "Assign policies for HITRUST and HIPAA controls", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "name": "Deploy-HITRUST-HIPAA", - "not_scopes": [], - "parameters": "{\"CertificateThumbprints\":{\"value\":\"\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsrgName\":{\"value\":\"root-id-3-rg\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix\":{\"value\":\"root-id-3\"},\"installedApplicationsOnWindowsVM\":{\"value\":\"\"},\"listOfLocations\":{\"value\":[\"eastus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", - "display_name": "Limit allowed locations for Resource Groups", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-web-emea", - "name": "Deny-RSG-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northeurope\",\"westeurope\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "display_name": "Limit allowed locations for Resources", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-web-emea", - "name": "Deny-Resource-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northeurope\",\"westeurope\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", - "display_name": "Limit allowed locations for Resource Groups", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-web-us", - "name": "Deny-RSG-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "display_name": "Limit allowed locations for Resources", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-web-us", - "name": "Deny-Resource-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", - "display_name": "Limit allowed locations for Resource Groups", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deny-RSG-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\",\"northeurope\",\"westeurope\",\"uksouth\",\"ukwest\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "display_name": "Limit allowed locations for Resources", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deny-Resource-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\",\"northeurope\",\"westeurope\",\"uksouth\",\"ukwest\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Monitoring in Azure Security Center.", - "display_name": "Enable Monitoring in Azure Security Center", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-ASC-Monitoring", - "not_scopes": [], - "parameters": "{\"aadAuthenticationInSqlServerMonitoringEffect\":{\"value\":\"Disabled\"},\"diskEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"encryptionOfAutomationAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateLessThanOwnersMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateMoreThanOneOwnerMonitoringEffect\":{\"value\":\"Disabled\"},\"identityEnableMFAForWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"jitNetworkAccessMonitoringEffect\":{\"value\":\"Disabled\"},\"networkSecurityGroupsOnSubnetsMonitoringEffect\":{\"value\":\"AuditIfNotExists\"},\"sqlDbEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityMonitoringEffect\":{\"value\":\"Disabled\"},\"systemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"useRbacRulesMonitoringEffect\":{\"value\":\"Disabled\"},\"vmssSystemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"windowsDefenderExploitGuardMonitoringEffect\":{\"value\":\"Disabled\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", - "display_name": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-AzActivity-Log", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This assignment includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.", - "display_name": "Assign policies for HITRUST and HIPAA controls", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-HITRUST-HIPAA", - "not_scopes": [], - "parameters": "{\"CertificateThumbprints\":{\"value\":\"\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsrgName\":{\"value\":\"root-id-3-rg\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix\":{\"value\":\"root-id-3\"},\"installedApplicationsOnWindowsVM\":{\"value\":\"\"},\"listOfLocations\":{\"value\":[\"eastus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy-Linux-Arc-Monitoring.", - "display_name": "Deploy-Linux-Arc-Monitoring", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-LX-Arc-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Microsoft Defender for Cloud and Security Contacts", - "display_name": "Deploy Microsoft Defender for Cloud configuration", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-MDFC-Config", - "not_scopes": [], - "parameters": "{\"ascExportResourceGroupLocation\":{\"value\":\"eastus\"},\"ascExportResourceGroupName\":{\"value\":\"root-id-3-asc-export\"},\"emailSecurityContact\":{\"value\":\"test.user@replace_me\"},\"enableAscForAppServices\":{\"value\":\"DeployIfNotExists\"},\"enableAscForArm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForContainers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForDns\":{\"value\":\"DeployIfNotExists\"},\"enableAscForKeyVault\":{\"value\":\"DeployIfNotExists\"},\"enableAscForOssDb\":{\"value\":\"DeployIfNotExists\"},\"enableAscForServers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSql\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSqlOnVm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForStorage\":{\"value\":\"DeployIfNotExists\"},\"logAnalytics\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", - "display_name": "Deploy-Resource-Diag", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-Resource-Diag", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Auditing on SQL servers.", - "display_name": "Deploy Auditing on SQL servers", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-SQL-Auditing", - "not_scopes": [], - "parameters": "{\"retentionDays\":{\"value\":\"10\"},\"storageAccountsResourceGroup\":{\"value\":\"\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", - "display_name": "Enable Azure Monitor for VMs", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-VM-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", - "display_name": "Enable Azure Monitor for Virtual Machine Scale Sets", - "enforce": true, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-VMSS-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", - "display_name": "Deploy-Windows-Arc-Monitoring", - "enforce": false, - "identity": [ - { - "type": "SystemAssigned" - } - ], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3", - "name": "Deploy-WS-Arc-Monitoring", - "not_scopes": [], - "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-3-la\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", - "timeouts": null - }, - "sensitive_values": { - "identity": [ - {} - ], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", - "display_name": "AppService append enable https only setting to enforce https setting.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Append-AppService-httpsonly", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"notequals\":true}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"value\":true}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", - "display_name": "AppService append sites with minimum TLS version to enforce.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Append-AppService-latestTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"Select version minimum TLS Web App config\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites/config\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"notEquals\":\"[parameters('minTlsVersion')]\"}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"value\":\"[parameters('minTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", - "display_name": "KeyVault SoftDelete should be enabled", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Key Vault\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-KV-SoftDelete", - "parameters": null, - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.KeyVault/vaults\",\"field\":\"type\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"notEquals\":true}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"value\":true}],\"effect\":\"append\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-Redis-disableNonSslPort", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\",\"Modify\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"value\":false}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Append-Redis-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Cache for Redis to enforce\",\"displayName\":\"Select version for Redis server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"value\":\"[parameters('minimumTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", - "display_name": "Control private endpoint connections to Azure Machine Learning", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Audit-MachineLearning-PrivateEndpointId", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\",\"field\":\"type\"},{\"equals\":\"Approved\",\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\"},{\"notEquals\":\"[subscription().subscriptionId]\",\"value\":\"[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of child resources on the Automation Account", - "display_name": "No child resources in Automation Account", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Automation\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AA-child-resources", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Automation/automationAccounts/runbooks\",\"Microsoft.Automation/automationAccounts/variables\",\"Microsoft.Automation/automationAccounts/modules\",\"Microsoft.Automation/automationAccounts/credentials\",\"Microsoft.Automation/automationAccounts/connections\",\"Microsoft.Automation/automationAccounts/certificates\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", - "display_name": "Application Gateway should be deployed with WAF enabled", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppGW-Without-WAF", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/applicationGateways/sku.name\",\"notequals\":\"WAF_v2\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "API App should only be accessible over HTTPS", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceApiApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "Function App should only be accessible over HTTPS", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceFunctionApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", - "display_name": "Web Application should only be accessible over HTTPS", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-AppServiceWebApp-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", - "display_name": "Deny public IPs for Databricks cluster", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-NoPublicIp", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\"notEquals\":true}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "display_name": "Deny non-premium Databricks sku", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-Sku", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/sku.name\",\"notEquals\":\"premium\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces the use of vnet injection for Databricks workspaces.", - "display_name": "Deny Databricks workspaces without Vnet injection", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Databricks-VirtualNetwork", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", - "display_name": "Deny AKS cluster creation in Azure Machine Learning", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Aks", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AKS\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/resourceId\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", - "display_name": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Compute-SubnetId", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", - "display_name": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-Compute-VmSize", - "parameters": "{\"allowedVmSizes\":{\"defaultValue\":[\"Standard_D1_v2\",\"Standard_D2_v2\",\"Standard_D3_v2\",\"Standard_D4_v2\",\"Standard_D11_v2\",\"Standard_D12_v2\",\"Standard_D13_v2\",\"Standard_D14_v2\",\"Standard_DS1_v2\",\"Standard_DS2_v2\",\"Standard_DS3_v2\",\"Standard_DS4_v2\",\"Standard_DS5_v2\",\"Standard_DS11_v2\",\"Standard_DS12_v2\",\"Standard_DS13_v2\",\"Standard_DS14_v2\",\"Standard_M8-2ms\",\"Standard_M8-4ms\",\"Standard_M8ms\",\"Standard_M16-4ms\",\"Standard_M16-8ms\",\"Standard_M16ms\",\"Standard_M32-8ms\",\"Standard_M32-16ms\",\"Standard_M32ls\",\"Standard_M32ms\",\"Standard_M32ts\",\"Standard_M64-16ms\",\"Standard_M64-32ms\",\"Standard_M64ls\",\"Standard_M64ms\",\"Standard_M64s\",\"Standard_M128-32ms\",\"Standard_M128-64ms\",\"Standard_M128ms\",\"Standard_M128s\",\"Standard_M64\",\"Standard_M64m\",\"Standard_M128\",\"Standard_M128m\",\"Standard_D1\",\"Standard_D2\",\"Standard_D3\",\"Standard_D4\",\"Standard_D11\",\"Standard_D12\",\"Standard_D13\",\"Standard_D14\",\"Standard_DS15_v2\",\"Standard_NV6\",\"Standard_NV12\",\"Standard_NV24\",\"Standard_F2s_v2\",\"Standard_F4s_v2\",\"Standard_F8s_v2\",\"Standard_F16s_v2\",\"Standard_F32s_v2\",\"Standard_F64s_v2\",\"Standard_F72s_v2\",\"Standard_NC6s_v3\",\"Standard_NC12s_v3\",\"Standard_NC24rs_v3\",\"Standard_NC24s_v3\",\"Standard_NC6\",\"Standard_NC12\",\"Standard_NC24\",\"Standard_NC24r\",\"Standard_ND6s\",\"Standard_ND12s\",\"Standard_ND24rs\",\"Standard_ND24s\",\"Standard_NC6s_v2\",\"Standard_NC12s_v2\",\"Standard_NC24rs_v2\",\"Standard_NC24s_v2\",\"Standard_ND40rs_v2\",\"Standard_NV12s_v3\",\"Standard_NV24s_v3\",\"Standard_NV48s_v3\"],\"metadata\":{\"description\":\"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\",\"displayName\":\"Allowed VM Sizes for Aml Compute Clusters and Instances\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\"notIn\":\"[parameters('allowedVmSizes')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny public access of Azure Machine Learning clusters via SSH.", - "display_name": "Deny public access of Azure Machine Learning clusters via SSH", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\"notEquals\":\"Disabled\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforce scale settings for Azure Machine Learning compute clusters.", - "display_name": "Enforce scale settings for Azure Machine Learning compute clusters", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-ComputeCluster-Scale", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"maxNodeCount\":{\"defaultValue\":10,\"metadata\":{\"description\":\"Specifies the maximum node count of AML Clusters\",\"displayName\":\"Maximum Node Count\"},\"type\":\"Integer\"},\"maxNodeIdleTimeInSecondsBeforeScaleDown\":{\"defaultValue\":900,\"metadata\":{\"description\":\"Specifies the maximum node idle time in seconds before scaledown\",\"displayName\":\"Maximum Node Idle Time in Seconds Before Scaledown\"},\"type\":\"Integer\"},\"minNodeCount\":{\"defaultValue\":0,\"metadata\":{\"description\":\"Specifies the minimum node count of AML Clusters\",\"displayName\":\"Minimum Node Count\"},\"type\":\"Integer\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\"greater\":\"[parameters('maxNodeCount')]\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\"greater\":\"[parameters('minNodeCount')]\"},{\"greater\":\"[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\",\"value\":\"[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Enforces high business impact Azure Machine Learning workspaces.", - "display_name": "Enforces high business impact Azure Machine Learning Workspaces", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-HbiWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\"notEquals\":true}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", - "display_name": "Deny public acces behind vnet to Azure Machine Learning workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\"notEquals\":false}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Denies public network access for Azure Machine Learning workspaces.", - "display_name": "Azure Machine Learning should have disabled public network access", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MachineLearning-PublicNetworkAccess", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\"notEquals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "MySQL database servers enforce SSL connections.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-MySql-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "PostgreSQL database servers enforce SSL connection.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.1\"}", - "mode": "Indexed", - "name": "Deny-PostgreSql-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", - "display_name": "Deny the creation of private DNS", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Private-DNS-Zones", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/privateDnsZones\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", - "display_name": "Public network access should be disabled for MariaDB", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-PublicEndpoint-MariaDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\"notequals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies creation of Public IPs under the assigned scope.", - "display_name": "Deny the creation of public IP", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-PublicIP", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/publicIPAddresses\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies any network security rule that allows RDP access from Internet", - "display_name": "RDP access from the Internet should be blocked", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deny-RDP-From-Internet", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\",\"field\":\"type\"},{\"allOf\":[{\"equals\":\"Allow\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\"},{\"equals\":\"Inbound\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\"},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"3389\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"true\",\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"equals\":\"true\",\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"equals\":\"Internet\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "display_name": "Azure Cache for Redis only secure connections should be enabled", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Redis-http", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select minimum TLS version for Azure Cache for Redis.\",\"displayName\":\"Select minumum TLS version for Azure Cache for Redis.\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"},{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", - "display_name": "Azure SQL Database should have the minimal TLS version set to the highest version", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Sql-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", - "display_name": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-SqlMi-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "display_name": "Storage Account set to minumum TLS and Secure transfer should be enabled", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deny-Storage-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"allOf\":[{\"less\":\"2019-04-01\",\"value\":\"[requestContext().apiVersion]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", - "display_name": "Subnets should have a Network Security Group", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", - "mode": "All", - "name": "Deny-Subnet-Without-Nsg", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"GatewaySubnet\",\"AzureFirewallSubnet\",\"AzureFirewallManagementSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", - "display_name": "Subnets should have a User Defined Route", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", - "mode": "All", - "name": "Deny-Subnet-Without-Udr", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"AzureBastionSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", - "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/routeTable.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", - "display_name": "Deny vNet peering cross subscription.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", - "mode": "All", - "name": "Deny-VNET-Peer-Cross-Sub", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\"notcontains\":\"[subscription().id]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy denies the creation of vNet Peerings under the assigned scope.", - "display_name": "Deny vNet peering ", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", - "mode": "All", - "name": "Deny-VNet-Peering", - "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Azure Security Center Security Contacts", - "display_name": "Deploy Azure Security Center Security Contacts", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Security Center\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-ASC-SecurityContacts", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Azure Security Center contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"emailSecurityContact\":{\"metadata\":{\"description\":\"Security contacts email address\"},\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2020-01-01-preview\",\"name\":\"default\",\"properties\":{\"alertNotifications\":{\"minimalSeverity\":\"High\",\"state\":\"On\"},\"emails\":\"[parameters('emailSecurityContact')]\",\"notificationsByRole\":{\"roles\":[\"Owner\"],\"state\":\"On\"}},\"type\":\"Microsoft.Security/securityContacts\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"contains\":\"[parameters('emailSecurityContact')]\",\"field\":\"Microsoft.Security/securityContacts/email\"},{\"equals\":\"Microsoft.Security/securityContacts\",\"field\":\"type\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertNotifications\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"type\":\"Microsoft.Security/securityContacts\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a default budget on all subscriptions under the assigned scope", - "display_name": "Deploy a default budget on all subscriptions under the assigned scope", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Budget\",\"version\":\"1.1.0\"}", - "mode": "All", - "name": "Deploy-Budget", - "parameters": "{\"amount\":{\"defaultValue\":\"1000\",\"metadata\":{\"description\":\"The total amount of cost or usage to track with the budget\"},\"type\":\"String\"},\"budgetName\":{\"defaultValue\":\"budget-set-by-policy\",\"metadata\":{\"description\":\"The name for the budget to be created\"},\"type\":\"String\"},\"contactEmails\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"contactGroups\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"},\"type\":\"Array\"},\"contactRoles\":{\"defaultValue\":[\"Owner\",\"Contributor\"],\"metadata\":{\"description\":\"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\"},\"type\":\"String\"},\"firstThreshold\":{\"defaultValue\":\"90\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"secondThreshold\":{\"defaultValue\":\"100\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"timeGrain\":{\"allowedValues\":[\"Monthly\",\"Quarterly\",\"Annually\",\"BillingMonth\",\"BillingQuarter\",\"BillingAnnual\"],\"defaultValue\":\"Monthly\",\"metadata\":{\"description\":\"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"amount\":{\"value\":\"[parameters('amount')]\"},\"budgetName\":{\"value\":\"[parameters('budgetName')]\"},\"contactEmails\":{\"value\":\"[parameters('contactEmails')]\"},\"contactGroups\":{\"value\":\"[parameters('contactGroups')]\"},\"contactRoles\":{\"value\":\"[parameters('contactRoles')]\"},\"firstThreshold\":{\"value\":\"[parameters('firstThreshold')]\"},\"secondThreshold\":{\"value\":\"[parameters('secondThreshold')]\"},\"timeGrain\":{\"value\":\"[parameters('timeGrain')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"amount\":{\"type\":\"String\"},\"budgetName\":{\"type\":\"String\"},\"contactEmails\":{\"type\":\"Array\"},\"contactGroups\":{\"type\":\"Array\"},\"contactRoles\":{\"type\":\"Array\"},\"firstThreshold\":{\"type\":\"String\"},\"secondThreshold\":{\"type\":\"String\"},\"startDate\":{\"defaultValue\":\"[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\",\"type\":\"String\"},\"timeGrain\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[parameters('budgetName')]\",\"properties\":{\"amount\":\"[parameters('amount')]\",\"category\":\"Cost\",\"notifications\":{\"NotificationForExceededBudget1\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('firstThreshold')]\"},\"NotificationForExceededBudget2\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('secondThreshold')]\"}},\"timeGrain\":\"[parameters('timeGrain')]\",\"timePeriod\":{\"startDate\":\"[parameters('startDate')]\"}},\"type\":\"Microsoft.Consumption/budgets\"}]}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('amount')]\",\"field\":\"Microsoft.Consumption/budgets/amount\"},{\"equals\":\"[parameters('timeGrain')]\",\"field\":\"Microsoft.Consumption/budgets/timeGrain\"},{\"equals\":\"Cost\",\"field\":\"Microsoft.Consumption/budgets/category\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Consumption/budgets\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", - "display_name": "Deploy a route table with specific user defined routes", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Custom-Route-Table", - "parameters": "{\"disableBgpPropagation\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Disable BGP Propagation\",\"displayName\":\"DisableBgpPropagation\"},\"type\":\"Boolean\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"requiredRoutes\":{\"metadata\":{\"description\":\"Routes that must exist in compliant route tables deployed by this policy\",\"displayName\":\"requiredRoutes\"},\"type\":\"Array\"},\"routeTableName\":{\"metadata\":{\"description\":\"Name of the route table automatically deployed by this policy\",\"displayName\":\"routeTableName\"},\"type\":\"String\"},\"vnetRegion\":{\"metadata\":{\"description\":\"Only VNets in this region will be evaluated against this policy\",\"displayName\":\"vnetRegion\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"equals\":\"[parameters('vnetRegion')]\",\"field\":\"location\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"name\":\"routeTableDepl\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"location\":\"[[parameters('vnetRegion')]\",\"name\":\"[[parameters('routeTableName')]\",\"properties\":{\"copy\":\"[variables('copyLoop')]\",\"disableBgpRoutePropagation\":\"[[parameters('disableBgpPropagation')]\"},\"type\":\"Microsoft.Network/routeTables\"}]}},\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"copyLoop\":[{\"count\":\"[[length(parameters('requiredRoutes'))]\",\"input\":{\"name\":\"[[concat('route-',copyIndex('routes'))]\",\"properties\":{\"addressPrefix\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\"nextHopIpAddress\":\"[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\",\"nextHopType\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\"}},\"name\":\"routes\"}]}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('routeTableName')]\",\"field\":\"name\"},{\"count\":{\"field\":\"Microsoft.Network/routeTables/routes[*]\",\"where\":{\"in\":\"[parameters('requiredRoutes')]\",\"value\":\"[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\"}},\"equals\":\"[length(parameters('requiredRoutes'))]\"}]},\"roleDefinitionIds\":[\"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/routeTables\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys an Azure DDoS Protection Standard plan", - "display_name": "Deploy an Azure DDoS Protection Standard plan", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-DDoSProtection", - "parameters": "{\"ddosName\":{\"metadata\":{\"description\":\"DDoSVnet\",\"displayName\":\"ddosName\"},\"type\":\"String\"},\"ddosRegion\":{\"metadata\":{\"description\":\"DDoSVnet location\",\"displayName\":\"ddosRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"ddosname\":{\"value\":\"[parameters('ddosname')]\"},\"ddosregion\":{\"value\":\"[parameters('ddosRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"ddosRegion\":{\"type\":\"String\"},\"ddosname\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"ddosprotection\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-12-01\",\"location\":\"[parameters('ddosRegion')]\",\"name\":\"[parameters('ddosName')]\",\"properties\":{},\"type\":\"Microsoft.Network/ddosProtectionPlans\"}]}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('ddosName')]\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/ddosProtectionPlans\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-AA", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Automation/automationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"JobLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobStreams\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DscNodeStatus\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", - "display_name": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ACI", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerInstance/containerGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", - "display_name": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ACR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerRegistry/registries\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ContainerRegistryLoginEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ContainerRegistryRepositoryEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-APIMgmt", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ApiManagement/service\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ApiManagement/service/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-AnalysisService", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.AnalysisServices/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Service\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ApiForFHIR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HealthcareApis/services\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HealthcareApis/services/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ApplicationGateway", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ApplicationGatewayAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayPerformanceLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/applicationGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CDNEndpoints", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cdn/profiles/endpoints\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"CoreAnalytics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CognitiveServices", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.CognitiveServices/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RequestResponse\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Trace\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-CosmosDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DocumentDB/databaseAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DataPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MongoRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyRUConsumption\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ControlPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CassandraRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"GremlinRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Requests\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DLAnalytics", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataLakeAnalytics/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DataExplorerCluster", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Kusto/Clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"SucceededIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FailedIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IngestionBatching\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Command\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Query\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableUsageStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableDetails\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Kusto/Clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-DataFactory", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataFactory/factories\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ActivityRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PipelineRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TriggerRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessages\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutableStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessageContext\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionComponentPhases\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionDataStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISIntegrationRuntimeLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataFactory/factories/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Databricks", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"dbfs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"clusters\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"accounts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"jobs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"notebook\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ssh\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"workspace\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"secrets\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"sqlPermissions\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"instancePools\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Databricks/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridSub", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/eventSubscriptions\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridSystemTopic", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/systemTopics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-EventGridTopic", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/topics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PublishFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/topics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-ExpressRoute", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/expressRouteCircuits\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PeeringRouteLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Firewall", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/azureFirewalls\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AzureFirewallApplicationRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallNetworkRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallDnsProxy\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-FrontDoor", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/frontDoors\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FrontdoorAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/frontDoors/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Function", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"contains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FunctionAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-HDInsight", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HDInsight/clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HDInsight/clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-LoadBalancer", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/loadBalancers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"LoadBalancerAlertEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"LoadBalancerProbeHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/loadBalancers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-LogicAppsISE", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Logic/integrationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"IntegrationAccountTrackingEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MariaDB", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MediaService", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Media/mediaServices\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"KeyDeliveryRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Media/mediaServices/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MlWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AmlComputeClusterEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeClusterNodeEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeJobEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeCpuGpuUtilization\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlRunStatusChangedEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Run\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Model\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":true}},{\"category\":\"Quota\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Resource\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-MySQL", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-NIC", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkInterfaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-NetworkSecurityGroups", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-PostgreSQL", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PostgreSQLLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-PowerBIEmbedded", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.PowerBIDedicated/capacities\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-RedisCache", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cache/redis/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Relay", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Relay/namespaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"HybridConnectionsEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Relay/namespaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SQLElasticPools", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/elasticPools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SQLMI", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ResourceUsageStats\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DevOpsOperationsAudit\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/managedInstances/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-SignalR", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.SignalRService/SignalR\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AllLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-TimeSeriesInsights", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.TimeSeriesInsights/environments\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Ingress\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-TrafficManager", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/trafficManagerProfiles\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ProbeHealthStatusEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VM", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VMSS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", - "display_name": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VNetGW", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworkGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IKEDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"P2SDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TunnelDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-VirtualNetwork", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"VMProtectionAlerts\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDAppGroup", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/applicationGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDHostPools", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/hostpools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Connection\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"HostRegistration\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AgentHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", - "display_name": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WVDWorkspace", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Feed\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-WebServerFarm", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Web/serverfarms\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/serverfarms/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-Website", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"notContains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AppServiceAntivirusScanAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceConsoleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceFileAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceIPSecAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServicePlatformLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", - "display_name": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Diagnostics-iotHub", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Devices/IotHubs\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Connections\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceTelemetry\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DCommands\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceIdentityOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FileUploadOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Routes\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"D2CTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TwinQueries\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobsOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DirectMethods\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DistributedTracing\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Configurations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceStreams\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Devices/IotHubs/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", - "display_name": "Deploy Azure Firewall Manager policy in the subscription", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "mode": "All", - "name": "Deploy-FirewallPolicy", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"fwPolicyRegion\":{\"metadata\":{\"description\":\"Select Azure region for Azure Firewall Policy\",\"displayName\":\"fwPolicyRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"fwpolicy\":{\"defaultValue\":{},\"metadata\":{\"description\":\"Object describing Azure Firewall Policy\",\"displayName\":\"fwpolicy\"},\"type\":\"Object\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"fwPolicy\":{\"value\":\"[parameters('fwPolicy')]\"},\"fwPolicyRegion\":{\"value\":\"[parameters('fwPolicyRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"fwPolicy\":{\"type\":\"object\"},\"fwPolicyRegion\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"fwpolicies\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[],\"location\":\"[parameters('fwpolicy').location]\",\"name\":\"[parameters('fwpolicy').firewallPolicyName]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[\"[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"],\"name\":\"[parameters('fwpolicy').ruleGroups.name]\",\"properties\":{\"priority\":\"[parameters('fwpolicy').ruleGroups.properties.priority]\",\"rules\":\"[parameters('fwpolicy').ruleGroups.properties.rules]\"},\"type\":\"ruleGroups\"}],\"tags\":{},\"type\":\"Microsoft.Network/firewallPolicies\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/firewallPolicies\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-MySQL-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\",\"displayName\":\"Effect minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforMySQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforMySQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", - "display_name": "Deploys NSG flow logs and traffic analytics", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Nsg-FlowLogs", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"flowAnalyticsEnabled\":{\"defaultValue\":false,\"metadata\":{\"displayName\":\"Enable Traffic Analytics\"},\"type\":\"Boolean\"},\"logAnalytics\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"storageAccountResourceId\":{\"metadata\":{\"displayName\":\"Storage Account Resource Id\",\"strongType\":\"Microsoft.Storage/storageAccounts\"},\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"flowAnalyticsEnabled\":{\"value\":\"[parameters('flowAnalyticsEnabled')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"networkSecurityGroupName\":{\"value\":\"[field('name')]\"},\"resourceGroupName\":{\"value\":\"[resourceGroup().name]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"storageAccountResourceId\":{\"value\":\"[parameters('storageAccountResourceId')]\"},\"trafficAnalyticsInterval\":{\"value\":\"[parameters('trafficAnalyticsInterval')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"flowAnalyticsEnabled\":{\"type\":\"bool\"},\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"networkSecurityGroupName\":{\"type\":\"String\"},\"resourceGroupName\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"storageAccountResourceId\":{\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"type\":\"int\"}},\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":\"[bool(parameters('flowAnalyticsEnabled'))]\",\"trafficAnalyticsInterval\":\"[parameters('trafficAnalyticsInterval')]\",\"workspaceId\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\"workspaceRegion\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\"workspaceResourceId\":\"[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[parameters('storageAccountResourceId')]\",\"targetResourceId\":\"[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\"},\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"},{\"equals\":\"[parameters('flowAnalyticsEnabled')]\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\"}]},\"resourceGroupName\":\"NetworkWatcherRG\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", - "display_name": "Deploys NSG flow logs and traffic analytics to Log Analytics", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.1.0\"}", - "mode": "Indexed", - "name": "Deploy-Nsg-FlowLogs-to-LA", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"interval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"workspace\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"interval\":{\"value\":\"[parameters('interval')]\"},\"location\":{\"value\":\"[field('location')]\"},\"networkSecurityGroup\":{\"value\":\"[field('id')]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"workspace\":{\"value\":\"[parameters('workspace')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"interval\":{\"type\":\"int\"},\"location\":{\"type\":\"String\"},\"networkSecurityGroup\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"time\":{\"defaultValue\":\"[utcNow()]\",\"type\":\"String\"},\"workspace\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2019-06-01\",\"kind\":\"StorageV2\",\"location\":\"[parameters('location')]\",\"name\":\"[variables('storageAccountName')]\",\"properties\":{},\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"type\":\"Microsoft.Storage/storageAccounts\"}]}},\"resourceGroup\":\"[variables('resourceGroupName')]\",\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2019-10-01\",\"dependsOn\":[\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"],\"name\":\"[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat('NetworkWatcher_', toLower(parameters('location')))]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-11-01\",\"dependsOn\":[\"[concat('NetworkWatcher_', toLower(parameters('location')))]\"],\"location\":\"[parameters('location')]\",\"name\":\"[concat(variables('securityGroupName'), '-Network-flowlog')]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":true,\"trafficAnalyticsInterval\":\"[parameters('interval')]\",\"workspaceResourceId\":\"[parameters('workspace')]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\"targetResourceId\":\"[parameters('networkSecurityGroup')]\"},\"type\":\"flowLogs\"}],\"type\":\"Microsoft.Network/networkWatchers\"}]}},\"resourceGroup\":\"NetworkWatcherRG\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"resourceGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[4]]\",\"securityGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[8]]\",\"storageAccountName\":\"[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\"resourceGroupName\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/networkWatchers/flowlogs\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-PostgreSQL-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\",\"displayName\":\"Effect Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notEquals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "SQL servers deploys a specific min TLS version requirement.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-SQL-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", - "display_name": "Deploy SQL database auditing settings", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-AuditingSettings", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"auditActionsAndGroups\":[\"BATCH_COMPLETED_GROUP\",\"DATABASE_OBJECT_CHANGE_GROUP\",\"SCHEMA_OBJECT_CHANGE_GROUP\",\"BACKUP_RESTORE_GROUP\",\"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\"DATABASE_PRINCIPAL_CHANGE_GROUP\",\"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"USER_CHANGE_PASSWORD_GROUP\",\"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\"DATABASE_PERMISSION_CHANGE_GROUP\",\"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\"FAILED_DATABASE_AUTHENTICATION_GROUP\"],\"isAzureMonitorTargetEnabled\":true,\"state\":\"enabled\"},\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"enabled\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/state\"},{\"equals\":\"true\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\"}]},\"name\":\"default\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", - "display_name": "Deploy SQL Database security Alert Policies configuration with email admin accounts", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-SecurityAlertPolicies", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-06-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"disabledAlerts\":[\"\"],\"emailAccountAdmins\":true,\"emailAddresses\":[\"admin@contoso.com\"],\"retentionDays\":0,\"state\":\"Enabled\",\"storageAccountAccessKey\":\"\",\"storageEndpoint\":null},\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/servers/databases/securityAlertPolicies/state\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", - "display_name": "Deploy SQL Database Transparent Data Encryption ", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-Tde", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2014-04-01\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\"properties\":{\"status\":\"Enabled\"},\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/transparentDataEncryption.status\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", - "display_name": "Deploy SQL Database vulnerability Assessments", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Sql-vulnerabilityAssessments", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"recurringScans\":{\"emailSubscriptionAdmins\":false,\"emails\":[\"[parameters('vulnerabilityAssessmentsEmail')]\"],\"isEnabled\":true},\"storageAccountAccessKey\":\"[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\"storageContainerPath\":\"[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\"},\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('vulnerabilityAssessmentsEmail')]\",\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\"},{\"equals\":true,\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\"],\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "SQL managed instances deploy a specific min TLS version requirement.", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-SqlMi-minTLS", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2020-02-02-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/managedInstances\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/managedInstances\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", - "display_name": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Storage-sslEnforcement", - "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure STorage\",\"displayName\":\"Effect Azure STorage\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure STorage to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notEquals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('minimumTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimumTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimumTlsVersion\":\"[parameters('minimumTlsVersion')]\",\"supportsHttpsTrafficOnly\":true},\"type\":\"Microsoft.Storage/storageAccounts\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"equals\":\"[parameters('minimumTlsVersion')]\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy deploys virtual network and peer to the hub", - "display_name": "Deploy Virtual Network with peering to the hub", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.1.0\"}", - "mode": "All", - "name": "Deploy-VNET-HubSpoke", - "parameters": "{\"dnsServers\":{\"defaultValue\":[],\"metadata\":{\"description\":\"Default domain servers for the vNET.\",\"displayName\":\"DNSServers\"},\"type\":\"Array\"},\"hubResourceId\":{\"metadata\":{\"description\":\"Resource ID for the HUB vNet\",\"displayName\":\"hubResourceId\"},\"type\":\"String\"},\"vNetCidrRange\":{\"metadata\":{\"description\":\"CIDR Range for the vNet\",\"displayName\":\"vNetCidrRange\"},\"type\":\"String\"},\"vNetLocation\":{\"metadata\":{\"description\":\"Location for the vNet\",\"displayName\":\"vNetLocation\"},\"type\":\"String\"},\"vNetName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet\",\"displayName\":\"vNetName\"},\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Enable gateway transit for the LZ network\",\"displayName\":\"vNetPeerUseRemoteGateway\"},\"type\":\"Boolean\"},\"vNetRgName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet RG\",\"displayName\":\"vNetRgName\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"ResourceGroupName\":\"[parameters('vNetRgName')]\",\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"dnsServers\":{\"value\":\"[parameters('dnsServers')]\"},\"hubResourceId\":{\"value\":\"[parameters('hubResourceId')]\"},\"vNetCidrRange\":{\"value\":\"[parameters('vNetCidrRange')]\"},\"vNetLocation\":{\"value\":\"[parameters('vNetLocation')]\"},\"vNetName\":{\"value\":\"[parameters('vNetName')]\"},\"vNetPeerUseRemoteGateway\":{\"value\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"vNetRgName\":{\"value\":\"[parameters('vNetRgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"dnsServers\":{\"defaultValue\":[],\"type\":\"Array\"},\"hubResourceId\":{\"type\":\"String\"},\"vNetCidrRange\":{\"type\":\"String\"},\"vNetLocation\":{\"type\":\"String\"},\"vNetName\":{\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"type\":\"bool\"},\"vNetRgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetRgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"}],\"variables\":{}}},\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\"],\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetName')]\",\"properties\":{\"addressSpace\":{\"addressPrefixes\":[\"[parameters('vNetCidrRange')]\"]},\"dhcpOptions\":{\"dnsServers\":\"[parameters('dnsServers')]\"}},\"type\":\"Microsoft.Network/virtualNetworks\"},{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat(parameters('vNetName'), '/peerToHub')]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":false,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[parameters('hubResourceId')]\"},\"useRemoteGateways\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]\",\"properties\":{\"expressionEvaluationOptions\":{\"scope\":\"inner\"},\"mode\":\"Incremental\",\"parameters\":{\"hubName\":{\"value\":\"[split(parameters('hubResourceId'),'/')[8]]\"},\"remoteVirtualNetwork\":{\"value\":\"[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"hubName\":{\"defaultValue\":false,\"type\":\"String\"},\"remoteVirtualNetwork\":{\"defaultValue\":false,\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"name\":\"[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":true,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[[parameters('remoteVirtualNetwork')]\"},\"useRemoteGateways\":false},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"}],\"variables\":{}}},\"resourceGroup\":\"[split(parameters('hubResourceId'),'/')[4]]\",\"subscriptionId\":\"[split(parameters('hubResourceId'),'/')[2]]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('vNetRgName')]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"name\",\"like\":\"[parameters('vNetName')]\"},{\"equals\":\"[parameters('vNetLocation')]\",\"field\":\"location\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('vNetName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/virtualNetworks\"},\"effect\":\"deployIfNotExists\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]", - "mode": "managed", - "type": "azurerm_policy_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", - "display_name": "Deploy Windows Domain Join Extension with keyvault configuration", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Guest Configuration\",\"version\":\"1.0.0\"}", - "mode": "Indexed", - "name": "Deploy-Windows-DomainJoin", - "parameters": "{\"domainFQDN\":{\"metadata\":{\"displayName\":\"domainFQDN\"},\"type\":\"String\"},\"domainOUPath\":{\"metadata\":{\"displayName\":\"domainOUPath\"},\"type\":\"String\"},\"domainPassword\":{\"metadata\":{\"displayName\":\"domainPassword\"},\"type\":\"String\"},\"domainUsername\":{\"metadata\":{\"displayName\":\"domainUsername\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"keyVaultResourceId\":{\"metadata\":{\"displayName\":\"keyVaultResourceId\"},\"type\":\"String\"}}", - "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},{\"equals\":\"MicrosoftWindowsServer\",\"field\":\"Microsoft.Compute/imagePublisher\"},{\"equals\":\"WindowsServer\",\"field\":\"Microsoft.Compute/imageOffer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2008-R2-SP1-zhcn\",\"2012-Datacenter\",\"2012-datacenter-gensecond\",\"2012-Datacenter-smalldisk\",\"2012-datacenter-smalldisk-g2\",\"2012-Datacenter-zhcn\",\"2012-datacenter-zhcn-g2\",\"2012-R2-Datacenter\",\"2012-r2-datacenter-gensecond\",\"2012-R2-Datacenter-smalldisk\",\"2012-r2-datacenter-smalldisk-g2\",\"2012-R2-Datacenter-zhcn\",\"2012-r2-datacenter-zhcn-g2\",\"2016-Datacenter\",\"2016-datacenter-gensecond\",\"2016-datacenter-gs\",\"2016-Datacenter-Server-Core\",\"2016-datacenter-server-core-g2\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-datacenter-server-core-smalldisk-g2\",\"2016-Datacenter-smalldisk\",\"2016-datacenter-smalldisk-g2\",\"2016-Datacenter-with-Containers\",\"2016-datacenter-with-containers-g2\",\"2016-Datacenter-with-RDSH\",\"2016-Datacenter-zhcn\",\"2016-datacenter-zhcn-g2\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-datacenter-core-g2\",\"2019-Datacenter-Core-smalldisk\",\"2019-datacenter-core-smalldisk-g2\",\"2019-Datacenter-Core-with-Containers\",\"2019-datacenter-core-with-containers-g2\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-datacenter-core-with-containers-smalldisk-g2\",\"2019-datacenter-gensecond\",\"2019-datacenter-gs\",\"2019-Datacenter-smalldisk\",\"2019-datacenter-smalldisk-g2\",\"2019-Datacenter-with-Containers\",\"2019-datacenter-with-containers-g2\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-datacenter-with-containers-smalldisk-g2\",\"2019-Datacenter-zhcn\",\"2019-datacenter-zhcn-g2\",\"Datacenter-Core-1803-with-Containers-smalldisk\",\"datacenter-core-1803-with-containers-smalldisk-g2\",\"Datacenter-Core-1809-with-Containers-smalldisk\",\"datacenter-core-1809-with-containers-smalldisk-g2\",\"Datacenter-Core-1903-with-Containers-smalldisk\",\"datacenter-core-1903-with-containers-smalldisk-g2\",\"datacenter-core-1909-with-containers-smalldisk\",\"datacenter-core-1909-with-containers-smalldisk-g1\",\"datacenter-core-1909-with-containers-smalldisk-g2\"]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"domainFQDN\":{\"value\":\"[parameters('domainFQDN')]\"},\"domainOUPath\":{\"value\":\"[parameters('domainOUPath')]\"},\"domainPassword\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainPassword')]\"}},\"domainUsername\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainUsername')]\"}},\"keyVaultResourceId\":{\"value\":\"[parameters('keyVaultResourceId')]\"},\"location\":{\"value\":\"[field('location')]\"},\"vmName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"domainFQDN\":{\"type\":\"String\"},\"domainOUPath\":{\"type\":\"String\"},\"domainPassword\":{\"type\":\"securestring\"},\"domainUsername\":{\"type\":\"String\"},\"keyVaultResourceId\":{\"type\":\"String\"},\"location\":{\"type\":\"String\"},\"vmName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2015-06-15\",\"location\":\"[resourceGroup().location]\",\"name\":\"[concat(variables('vmName'),'/joindomain')]\",\"properties\":{\"autoUpgradeMinorVersion\":true,\"protectedSettings\":{\"Password\":\"[parameters('domainPassword')]\"},\"publisher\":\"Microsoft.Compute\",\"settings\":{\"Name\":\"[parameters('domainFQDN')]\",\"OUPath\":\"[parameters('domainOUPath')]\",\"Options\":\"[variables('domainJoinOptions')]\",\"Restart\":\"true\",\"User\":\"[parameters('domainUserName')]\"},\"type\":\"JsonADDomainExtension\",\"typeHandlerVersion\":\"1.3\"},\"type\":\"Microsoft.Compute/virtualMachines/extensions\"}],\"variables\":{\"domainJoinOptions\":3,\"vmName\":\"[parameters('vmName')]\"}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"JsonADDomainExtension\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\"},{\"equals\":\"Microsoft.Compute\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\"},\"effect\":\"[parameters('effect')]\"}}", - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", - "display_name": "Public network access should be disabled for PaaS services", - "management_group_name": "root-id-3", - "name": "Deny-PublicPaaSEndpoints", - "parameters": "{\"ACRPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Container Registires with exposed public endpoints \",\"displayName\":\"Public network access on Azure Container Registry disabled\"},\"type\":\"String\"},\"AFSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure File Sync instances with exposed public endpoints \",\"displayName\":\"Public network access on Azure File Sync disabled\"},\"type\":\"String\"},\"AKSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Kubernetes Service non-private clusters\",\"displayName\":\"Public network access on AKS API should be disabled\"},\"type\":\"String\"},\"BatchPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Azure Batch Instances with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for Azure Batch Instances\"},\"type\":\"String\"},\"CosmosPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies that Cosmos database accounts are created with out public network access is disabled.\",\"displayName\":\"Public network access should be disabled for CosmosDB\"},\"type\":\"String\"},\"KeyVaultPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access should be disabled for KeyVault\"},\"type\":\"String\"},\"MySQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for MySQL Flexible Server\"},\"type\":\"String\"},\"PostgreSQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for PostgreSql Flexible Server\"},\"type\":\"String\"},\"SqlServerPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Sql servers with exposed public endpoints\",\"displayName\":\"Public network access on Azure SQL Database should be disabled\"},\"type\":\"String\"},\"StoragePublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access onStorage accounts should be disabled\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", - "policy_group_names": null, - "reference_id": "CosmosDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", - "policy_group_names": null, - "reference_id": "KeyVaultDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", - "policy_group_names": null, - "reference_id": "SqlServerDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StoragePublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", - "policy_group_names": null, - "reference_id": "StorageDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", - "policy_group_names": null, - "reference_id": "AKSDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", - "policy_group_names": null, - "reference_id": "ACRDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AFSPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "policy_group_names": null, - "reference_id": "AFSDenyPaasPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", - "policy_group_names": null, - "reference_id": "PostgreSQLFlexDenyPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLFlexPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", - "policy_group_names": null, - "reference_id": "MySQLFlexDenyPublicIP" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchPublicIpDenyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", - "policy_group_names": null, - "reference_id": "BatchDenyPublicIP" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", - "display_name": "Deploy Diagnostic Settings to Azure Services", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", - "name": "Deploy-Diagnostics-LogAnalytics", - "parameters": "{\"ACILogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\"},\"type\":\"String\"},\"ACRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\"},\"type\":\"String\"},\"AKSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\"},\"type\":\"String\"},\"APIMgmtLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for API Management to Log Analytics workspace\"},\"type\":\"String\"},\"APIforFHIRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\"},\"type\":\"String\"},\"AnalysisServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceWebappLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service to Log Analytics workspace\"},\"type\":\"String\"},\"ApplicationGatewayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"AutomationLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Automation to Log Analytics workspace\"},\"type\":\"String\"},\"BatchLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Batch to Log Analytics workspace\"},\"type\":\"String\"},\"CDNEndpointsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\"},\"type\":\"String\"},\"CognitiveServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\"},\"type\":\"String\"},\"CosmosLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\"},\"type\":\"String\"},\"DataExplorerClusterLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\"},\"type\":\"String\"},\"DataFactoryLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeStoreLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\"},\"type\":\"String\"},\"DatabricksLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridSubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\"},\"type\":\"String\"},\"EventHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\"},\"type\":\"String\"},\"EventSystemTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\"},\"type\":\"String\"},\"ExpressRouteLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\"},\"type\":\"String\"},\"FirewallLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\"},\"type\":\"String\"},\"FrontDoorLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\"},\"type\":\"String\"},\"FunctionAppLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\"},\"type\":\"String\"},\"HDInsightLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\"},\"type\":\"String\"},\"IotHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\"},\"type\":\"String\"},\"KeyVaultLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\"},\"type\":\"String\"},\"LoadBalancerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsISELogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsWFLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\"},\"type\":\"String\"},\"MariaDBLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\"},\"type\":\"String\"},\"MediaServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\"},\"type\":\"String\"},\"MlWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\"},\"type\":\"String\"},\"MySQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkNICLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkPublicIPNicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkSecurityGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\"},\"type\":\"String\"},\"PostgreSQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\"},\"type\":\"String\"},\"PowerBIEmbeddedLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\"},\"type\":\"String\"},\"RedisCacheLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\"},\"type\":\"String\"},\"RelayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Relay to Log Analytics workspace\"},\"type\":\"String\"},\"SQLDBsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\"},\"type\":\"String\"},\"SQLElasticPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\"},\"type\":\"String\"},\"SQLMLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\"},\"type\":\"String\"},\"SearchServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\"},\"type\":\"String\"},\"ServiceBusLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\"},\"type\":\"String\"},\"SignalRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\"},\"type\":\"String\"},\"StorageAccountsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\"},\"type\":\"String\"},\"StreamAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"TimeSeriesInsightsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\"},\"type\":\"String\"},\"TrafficManagerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\"},\"type\":\"String\"},\"VMSSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\"},\"type\":\"String\"},\"VNetGWLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualMachinesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualNetworkLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\"},\"type\":\"String\"},\"WVDAppGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace\"},\"type\":\"String\"},\"WVDHostPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace\"},\"type\":\"String\"},\"WVDWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageAccountsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", - "policy_group_names": null, - "reference_id": "StorageAccountDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDAppGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", - "policy_group_names": null, - "reference_id": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", - "policy_group_names": null, - "reference_id": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDHostPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", - "policy_group_names": null, - "reference_id": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACILogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", - "policy_group_names": null, - "reference_id": "ACIDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", - "policy_group_names": null, - "reference_id": "ACRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('AKSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", - "policy_group_names": null, - "reference_id": "AKSDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AnalysisServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", - "policy_group_names": null, - "reference_id": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIforFHIRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", - "policy_group_names": null, - "reference_id": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIMgmtLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", - "policy_group_names": null, - "reference_id": "APIMgmtDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ApplicationGatewayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", - "policy_group_names": null, - "reference_id": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AutomationLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", - "policy_group_names": null, - "reference_id": "AutomationDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", - "policy_group_names": null, - "reference_id": "BatchDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CDNEndpointsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", - "policy_group_names": null, - "reference_id": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", - "policy_group_names": null, - "reference_id": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", - "policy_group_names": null, - "reference_id": "CosmosDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DatabricksLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", - "policy_group_names": null, - "reference_id": "DatabricksDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataExplorerClusterLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", - "policy_group_names": null, - "reference_id": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataFactoryLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", - "policy_group_names": null, - "reference_id": "DataFactoryDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeStoreLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", - "policy_group_names": null, - "reference_id": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", - "policy_group_names": null, - "reference_id": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridSubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", - "policy_group_names": null, - "reference_id": "EventGridSubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", - "policy_group_names": null, - "reference_id": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", - "policy_group_names": null, - "reference_id": "EventHubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventSystemTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", - "policy_group_names": null, - "reference_id": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ExpressRouteLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", - "policy_group_names": null, - "reference_id": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FirewallLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", - "policy_group_names": null, - "reference_id": "FirewallDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FrontDoorLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", - "policy_group_names": null, - "reference_id": "FrontDoorDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionAppLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", - "policy_group_names": null, - "reference_id": "FunctionAppDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('HDInsightLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", - "policy_group_names": null, - "reference_id": "HDInsightDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('IotHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", - "policy_group_names": null, - "reference_id": "IotHubDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", - "policy_group_names": null, - "reference_id": "KeyVaultDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LoadBalancerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", - "policy_group_names": null, - "reference_id": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsISELogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", - "policy_group_names": null, - "reference_id": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsWFLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", - "policy_group_names": null, - "reference_id": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MariaDBLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", - "policy_group_names": null, - "reference_id": "MariaDBDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MediaServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", - "policy_group_names": null, - "reference_id": "MediaServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MlWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", - "policy_group_names": null, - "reference_id": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", - "policy_group_names": null, - "reference_id": "MySQLDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", - "policy_group_names": null, - "reference_id": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkNICLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", - "policy_group_names": null, - "reference_id": "NetworkNICDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", - "policy_group_names": null, - "reference_id": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", - "policy_group_names": null, - "reference_id": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"True\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", - "policy_group_names": null, - "reference_id": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", - "policy_group_names": null, - "reference_id": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisCacheLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", - "policy_group_names": null, - "reference_id": "RedisCacheDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RelayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", - "policy_group_names": null, - "reference_id": "RelayDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SearchServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", - "policy_group_names": null, - "reference_id": "SearchServicesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ServiceBusLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", - "policy_group_names": null, - "reference_id": "ServiceBusDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SignalRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", - "policy_group_names": null, - "reference_id": "SignalRDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('SQLDBsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", - "policy_group_names": null, - "reference_id": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", - "policy_group_names": null, - "reference_id": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLMLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", - "policy_group_names": null, - "reference_id": "SQLMDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", - "policy_group_names": null, - "reference_id": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", - "policy_group_names": null, - "reference_id": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('TrafficManagerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", - "policy_group_names": null, - "reference_id": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualNetworkLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", - "policy_group_names": null, - "reference_id": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualMachinesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", - "policy_group_names": null, - "reference_id": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VMSSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", - "policy_group_names": null, - "reference_id": "VMSSDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('VNetGWLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", - "policy_group_names": null, - "reference_id": "VNetGWDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", - "policy_group_names": null, - "reference_id": "AppServiceDeployDiagnosticLogDeployLogAnalytics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceWebappLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", - "policy_group_names": null, - "reference_id": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy Microsoft Defender for Cloud configuration", - "display_name": "Deploy Microsoft Defender for Cloud configuration", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Security Center\",\"version\":\"3.0.0\"}", - "name": "Deploy-MDFC-Config", - "parameters": "{\"ascExportResourceGroupLocation\":{\"metadata\":{\"description\":\"The location where the resource group and the export to Log Analytics workspace configuration are created.\",\"displayName\":\"Resource Group location for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"ascExportResourceGroupName\":{\"metadata\":{\"description\":\"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\",\"displayName\":\"Resource Group name for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Microsoft Defender for Cloud contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"},\"enableAscForAppServices\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForArm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForContainers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForDns\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForKeyVault\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForOssDb\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForServers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSql\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSqlOnVm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForStorage\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Primary Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForOssDb')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", - "policy_group_names": null, - "reference_id": "defenderForOssDb" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForServers')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", - "policy_group_names": null, - "reference_id": "defenderForVM" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSqlOnVm')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", - "policy_group_names": null, - "reference_id": "defenderForSqlServerVirtualMachines" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForAppServices')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", - "policy_group_names": null, - "reference_id": "defenderForAppServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForStorage')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", - "policy_group_names": null, - "reference_id": "defenderForStorageAccounts" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForContainers')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", - "policy_group_names": null, - "reference_id": "defenderforContainers" - }, - { - "parameter_values": "{\"Effect\":{\"value\":\"[parameters('enableAscForKeyVault')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", - "policy_group_names": null, - "reference_id": "defenderForKeyVaults" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForDns')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", - "policy_group_names": null, - "reference_id": "defenderForDns" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForArm')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", - "policy_group_names": null, - "reference_id": "defenderForArm" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSql')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", - "policy_group_names": null, - "reference_id": "defenderForSqlPaas" - }, - { - "parameter_values": "{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "policy_group_names": null, - "reference_id": "securityEmailContact" - }, - { - "parameter_values": "{\"resourceGroupLocation\":{\"value\":\"[parameters('ascExportResourceGroupLocation')]\"},\"resourceGroupName\":{\"value\":\"[parameters('ascExportResourceGroupName')]\"},\"workspaceResourceId\":{\"value\":\"[parameters('logAnalytics')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", - "policy_group_names": null, - "reference_id": "ascExport" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", - "display_name": "Configure Azure PaaS services to use private DNS zones", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", - "name": "Deploy-Private-DNS-Zones", - "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAcrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAsrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAsrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureBatchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureBatchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveSearchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureDiskAccessPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureDiskAccessPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridDomainsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridTopicsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventHubNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureFilePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureFilePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotHubsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotHubsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureKeyVaultPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureKeyVaultPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureMachineLearningWorkspacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureRedisCachePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureRedisCachePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureServiceBusNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureSignalRPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureSignalRPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureWebPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureWebPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"effect1\":{\"allowedValues\":[\"deployIfNotExists\",\"Disabled\"],\"defaultValue\":\"deployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureFileprivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-File-Sync" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureWebPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Web" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureBatchPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Batch" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-App" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAsrPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-Site-Recovery" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-IoT" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureKeyVaultPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-KeyVault" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureSignalRPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-SignalR" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppServicesPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-AppServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventGridTopics" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureDiskAccessPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-DiskAccess" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-CognitiveServices" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotHubsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-IoTHubs" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventGridDomains" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureRedisCachePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-RedisCache" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAcrPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-ACR" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-EventHubNamespace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-MachineLearningWorkspace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-ServiceBusNamespace" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", - "policy_group_names": null, - "reference_id": "DINE-Private-DNS-Azure-CognitiveSearch" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", - "display_name": "Deploy SQL Database built-in SQL security configuration", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", - "name": "Deploy-Sql-Security", - "parameters": "{\"SqlDbAuditingSettingsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy auditing settings to SQL Database when it not exist in the deployment\",\"displayName\":\"Deploy SQL database auditing settings\"},\"type\":\"String\"},\"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\"displayName\":\"Deploy SQL Database security Alert Policies configuration with email admin accounts\"},\"type\":\"String\"},\"SqlDbTdeDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\"displayName\":\"Deploy SQL Database Transparent Data Encryption \"},\"type\":\"String\"},\"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\"displayName\":\"Deploy SQL Database vulnerability Assessments\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", - "policy_group_names": null, - "reference_id": "SqlDbTdeDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", - "policy_group_names": null, - "reference_id": "SqlDbSecurityAlertPoliciesDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", - "policy_group_names": null, - "reference_id": "SqlDbAuditingSettingsDeploySqlSecurity" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", - "policy_group_names": null, - "reference_id": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", - "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", - "name": "Enforce-EncryptTransit", - "parameters": "{\"AKSIngressHttpsOnlyEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"deny\",\"metadata\":{\"description\":\"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\",\"displayName\":\"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\"},\"type\":\"String\"},\"APIAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"APIAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service API App. Latest TLS version should be used in your API App\"},\"type\":\"String\"},\"AppServiceHttpEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\"},\"type\":\"String\"},\"AppServiceTlsVersionEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\"},\"type\":\"String\"},\"AppServiceminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"App Service. Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"App Service. Select version minimum TLS Web App config\"},\"type\":\"String\"},\"FunctionLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Function App. Latest TLS version should be used in your Function App\"},\"type\":\"String\"},\"FunctionServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"MySQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"MySQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\"},\"type\":\"String\"},\"MySQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"MySQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\"},\"type\":\"String\"},\"PostgreSQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"PostgreSQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"RedisMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Azure Cache for Redis to enforce\",\"displayName\":\"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSDeployEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\"displayName\":\"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\"},\"type\":\"String\"},\"SQLManagedInstanceMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure Managed Instanceto to enforce\",\"displayName\":\"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\"},\"type\":\"String\"},\"SQLManagedInstanceTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLManagedInstanceTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"SQL Managed Instance should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLServerTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"Azure SQL Database should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure SQL Database to enforce\",\"displayName\":\"Azure SQL Database.Select version minimum TLS for Azure SQL Database\"},\"type\":\"String\"},\"StorageDeployHttpsEnabledEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageHttpsEnabledEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageminimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"},\"WebAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"WebAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Web App. Latest TLS version should be used in your Web App\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceHttpEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "policy_group_names": null, - "reference_id": "AppServiceHttpEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceTlsVersionEffect')]\"},\"minTlsVersion\":{\"value\":\"[parameters('AppServiceminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "policy_group_names": null, - "reference_id": "AppServiceminTlsVersion" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", - "policy_group_names": null, - "reference_id": "APIAppServiceLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", - "policy_group_names": null, - "reference_id": "FunctionLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceLatestTlsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", - "policy_group_names": null, - "reference_id": "WebAppServiceLatestTlsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "policy_group_names": null, - "reference_id": "APIAppServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "policy_group_names": null, - "reference_id": "FunctionServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceHttpsEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "policy_group_names": null, - "reference_id": "WebAppServiceHttpsEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSIngressHttpsOnlyEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "policy_group_names": null, - "reference_id": "AKSIngressHttpsOnlyEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "policy_group_names": null, - "reference_id": "MySQLEnableSSLDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "policy_group_names": null, - "reference_id": "MySQLEnableSSLEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "policy_group_names": null, - "reference_id": "PostgreSQLEnableSSLDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "policy_group_names": null, - "reference_id": "PostgreSQLEnableSSLEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "policy_group_names": null, - "reference_id": "RedisTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "policy_group_names": null, - "reference_id": "RedisdisableNonSslPort" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "policy_group_names": null, - "reference_id": "RedisDenyhttps" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "policy_group_names": null, - "reference_id": "SQLManagedInstanceTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "policy_group_names": null, - "reference_id": "SQLManagedInstanceTLSEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "policy_group_names": null, - "reference_id": "SQLServerTLSDeployEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "policy_group_names": null, - "reference_id": "SQLServerTLSEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "policy_group_names": null, - "reference_id": "StorageHttpsEnabledEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageDeployHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", - "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "policy_group_names": null, - "reference_id": "StorageDeployHttpsEnabledEffect" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]", - "mode": "managed", - "type": "azurerm_policy_set_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "display_name": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "management_group_name": "root-id-3", - "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", - "name": "Enforce-Encryption-CMK", - "parameters": "{\"ACRCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\"displayName\":\"Container registries should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"},\"AksCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\",\"displayName\":\"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\"},\"type\":\"String\"},\"AzureBatchCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\",\"displayName\":\"Azure Batch account should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"CognitiveServicesCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\"},\"type\":\"String\"},\"CosmosCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"DataBoxCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\",\"displayName\":\"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\"},\"type\":\"String\"},\"EncryptedVMDisksEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\",\"displayName\":\"Disk encryption should be applied on virtual machines\"},\"type\":\"String\"},\"HealthcareAPIsCMKEffect\":{\"allowedValues\":[\"audit\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\",\"displayName\":\"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\"},\"type\":\"String\"},\"MySQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure MySQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"PostgreSQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure PostgreSQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"SqlServerTDECMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\"displayName\":\"SQL servers should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"StorageCMKEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\"displayName\":\"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\"},\"type\":\"String\"},\"StreamAnalyticsCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\",\"displayName\":\"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"SynapseWorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\",\"displayName\":\"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"WorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\"displayName\":\"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"}}", - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRCmkEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", - "policy_group_names": null, - "reference_id": "ACRCmkDeny" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AksCmkEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", - "policy_group_names": null, - "reference_id": "AksCmkDeny" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('WorkspaceCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", - "policy_group_names": null, - "reference_id": "WorkspaceCMK" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "policy_group_names": null, - "reference_id": "CognitiveServicesCMK" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", - "policy_group_names": null, - "reference_id": "CosmosCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataBoxCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", - "policy_group_names": null, - "reference_id": "DataBoxCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", - "policy_group_names": null, - "reference_id": "StreamAnalyticsCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SynapseWorkspaceCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", - "policy_group_names": null, - "reference_id": "SynapseWorkspaceCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", - "policy_group_names": null, - "reference_id": "StorageCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", - "policy_group_names": null, - "reference_id": "MySQLCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", - "policy_group_names": null, - "reference_id": "PostgreSQLCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerTDECMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", - "policy_group_names": null, - "reference_id": "SqlServerTDECMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('HealthcareAPIsCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", - "policy_group_names": null, - "reference_id": "HealthcareAPIsCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('AzureBatchCMKEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", - "policy_group_names": null, - "reference_id": "AzureBatchCMKEffect" - }, - { - "parameter_values": "{\"effect\":{\"value\":\"[parameters('EncryptedVMDisksEffect')]\"}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", - "policy_group_names": null, - "reference_id": "EncryptedVMDisksEffect" - } - ], - "policy_type": "Custom", - "timeouts": null - }, - "sensitive_values": { - "policy_definition_group": [], - "policy_definition_reference": [ - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - }, - { - "parameters": {} - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/eastus.privatelink.siterecovery.windowsazure.com\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/eastus.privatelink.siterecovery.windowsazure.com", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "eastus.privatelink.siterecovery.windowsazure.com", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "privatelink.blob.core.windows.net", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.backup.windowsazure.com\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.backup.windowsazure.com", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "privatelink.eastus.backup.windowsazure.com", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "privatelink.file.core.windows.net", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "privatelink.queue.core.windows.net", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "privatelink.table.core.windows.net", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "privatelink.web.core.windows.net", - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "soa_record": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/eastus.privatelink.siterecovery.windowsazure.com/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/eastus.privatelink.siterecovery.windowsazure.com/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "eastus.privatelink.siterecovery.windowsazure.com", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "privatelink.blob.core.windows.net", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.backup.windowsazure.com/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.backup.windowsazure.com/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "privatelink.eastus.backup.windowsazure.com", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "privatelink.file.core.windows.net", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "privatelink.queue.core.windows.net", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "privatelink.table.core.windows.net", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408\"]", - "mode": "managed", - "type": "azurerm_private_dns_zone_virtual_network_link", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net/virtualNetworkLinks/2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "name": "2a8527ca-5340-49aa-8931-ea03669451a0-8132b73f-9b5c-58cc-a99e-52f6d8565408", - "private_dns_zone_name": "privatelink.web.core.windows.net", - "registration_enabled": false, - "resource_group_name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "virtual_network_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus" - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_public_ip.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-ergw-eastus-pip\"]", - "mode": "managed", - "type": "azurerm_public_ip", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-ergw-eastus-pip", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "allocation_method": "Static", - "availability_zone": "Zone-Redundant", - "domain_name_label": null, - "idle_timeout_in_minutes": 4, - "ip_tags": null, - "ip_version": "IPv4", - "location": "eastus", - "name": "root-id-3-ergw-eastus-pip", - "public_ip_prefix_id": null, - "resource_group_name": "root-id-3-connectivity-eastus", - "reverse_fqdn": null, - "sku": "Standard", - "sku_tier": "Regional", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {}, - "zones": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_public_ip.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-fw-eastus-pip\"]", - "mode": "managed", - "type": "azurerm_public_ip", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-fw-eastus-pip", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "allocation_method": "Static", - "availability_zone": "Zone-Redundant", - "domain_name_label": null, - "idle_timeout_in_minutes": 4, - "ip_tags": null, - "ip_version": "IPv4", - "location": "eastus", - "name": "root-id-3-fw-eastus-pip", - "public_ip_prefix_id": null, - "resource_group_name": "root-id-3-connectivity-eastus", - "reverse_fqdn": null, - "sku": "Standard", - "sku_tier": "Regional", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {}, - "zones": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_public_ip.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-vpngw-eastus-pip\"]", - "mode": "managed", - "type": "azurerm_public_ip", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-vpngw-eastus-pip", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "allocation_method": "Static", - "availability_zone": "Zone-Redundant", - "domain_name_label": null, - "idle_timeout_in_minutes": 4, - "ip_tags": null, - "ip_version": "IPv4", - "location": "eastus", - "name": "root-id-3-vpngw-eastus-pip", - "public_ip_prefix_id": null, - "resource_group_name": "root-id-3-connectivity-eastus", - "reverse_fqdn": null, - "sku": "Standard", - "sku_tier": "Regional", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {}, - "zones": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_resource_group.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus\"]", - "mode": "managed", - "type": "azurerm_resource_group", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "name": "root-id-3-connectivity-eastus", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_resource_group.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns\"]", - "mode": "managed", - "type": "azurerm_resource_group", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-dns", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "name": "root-id-3-dns", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_resource_group.management[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt\"]", - "mode": "managed", - "type": "azurerm_resource_group", - "name": "management", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-mgmt", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "location": "eastus", - "name": "root-id-3-mgmt", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale" - }, - "timeouts": null - }, - "sensitive_values": { - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-connectivity/providers/Microsoft.Authorization/roleAssignments/e8de8c60-f28e-58af-9f88-558d76b24b83\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-connectivity/providers/Microsoft.Authorization/roleAssignments/e8de8c60-f28e-58af-9f88-558d76b24b83", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "e8de8c60-f28e-58af-9f88-558d76b24b83", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-connectivity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/0e1d0115-c48b-58ac-814d-c978e0c40fac\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/0e1d0115-c48b-58ac-814d-c978e0c40fac", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "0e1d0115-c48b-58ac-814d-c978e0c40fac", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/79ed60b3-ef94-58fd-b3cd-41b8228c05b5\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/79ed60b3-ef94-58fd-b3cd-41b8228c05b5", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "79ed60b3-ef94-58fd-b3cd-41b8228c05b5", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/d3e75b61-d41e-5648-b823-dba81181fc63\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/d3e75b61-d41e-5648-b823-dba81181fc63", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d3e75b61-d41e-5648-b823-dba81181fc63", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-corp", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/roleAssignments/30f6bbd5-1448-55dc-a337-8cc36c6f5225\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/roleAssignments/30f6bbd5-1448-55dc-a337-8cc36c6f5225", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "30f6bbd5-1448-55dc-a337-8cc36c6f5225", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/roleAssignments/8735df8c-5968-5f1b-8146-568a0840ac84\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/roleAssignments/8735df8c-5968-5f1b-8146-568a0840ac84", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "8735df8c-5968-5f1b-8146-568a0840ac84", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-identity", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/4d4eb338-cb10-5c88-8f39-7223c52cda6f\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/4d4eb338-cb10-5c88-8f39-7223c52cda6f", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "4d4eb338-cb10-5c88-8f39-7223c52cda6f", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/57f831b9-e928-5b5b-ac1c-90d0245f7674\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/57f831b9-e928-5b5b-ac1c-90d0245f7674", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "57f831b9-e928-5b5b-ac1c-90d0245f7674", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/8483318a-a506-576e-8a04-c38d47cb6661\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/8483318a-a506-576e-8a04-c38d47cb6661", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "8483318a-a506-576e-8a04-c38d47cb6661", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/c8e0494e-62ca-5af3-8612-e471f990af7d\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/c8e0494e-62ca-5af3-8612-e471f990af7d", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "c8e0494e-62ca-5af3-8612-e471f990af7d", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/ca13bdd6-0544-5b4f-b0f8-934a85749f0c\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/ca13bdd6-0544-5b4f-b0f8-934a85749f0c", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "ca13bdd6-0544-5b4f-b0f8-934a85749f0c", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/de602d23-3a0e-534f-8c96-e23d7553dbb7\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/de602d23-3a0e-534f-8c96-e23d7553dbb7", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "de602d23-3a0e-534f-8c96-e23d7553dbb7", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/e05bccb4-cf3d-5491-af76-cdac3c09cbe7\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/e05bccb4-cf3d-5491-af76-cdac3c09cbe7", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "e05bccb4-cf3d-5491-af76-cdac3c09cbe7", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-management/providers/Microsoft.Authorization/roleAssignments/b33c95fa-f602-5435-acb3-f9f77e34f0b7\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-management/providers/Microsoft.Authorization/roleAssignments/b33c95fa-f602-5435-acb3-f9f77e34f0b7", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "b33c95fa-f602-5435-acb3-f9f77e34f0b7", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-management", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/0709bcc0-3a5c-5bd5-b76b-1aa4cd92e9e8\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/0709bcc0-3a5c-5bd5-b76b-1aa4cd92e9e8", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "0709bcc0-3a5c-5bd5-b76b-1aa4cd92e9e8", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/0aff3c41-09e3-515a-b544-494b967e15af\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/0aff3c41-09e3-515a-b544-494b967e15af", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "0aff3c41-09e3-515a-b544-494b967e15af", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/34fc74e5-ba64-5ee8-9e8d-cff7c6800938\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/34fc74e5-ba64-5ee8-9e8d-cff7c6800938", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "34fc74e5-ba64-5ee8-9e8d-cff7c6800938", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/ae6da3ae-362a-54ee-a361-23403bcf2f2d\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/ae6da3ae-362a-54ee-a361-23403bcf2f2d", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "ae6da3ae-362a-54ee-a361-23403bcf2f2d", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/d8a7b519-56e2-5c8c-b094-1f7891301042\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/d8a7b519-56e2-5c8c-b094-1f7891301042", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d8a7b519-56e2-5c8c-b094-1f7891301042", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3-secure", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/1fbd1ef4-e707-50aa-b735-b435bfbb0f75\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/1fbd1ef4-e707-50aa-b735-b435bfbb0f75", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "1fbd1ef4-e707-50aa-b735-b435bfbb0f75", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/2a0b3092-70a8-5efc-90e4-9ce8b48ae9d2\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/2a0b3092-70a8-5efc-90e4-9ce8b48ae9d2", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "2a0b3092-70a8-5efc-90e4-9ce8b48ae9d2", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/2ee16d2b-56f7-5374-854e-385025401e09\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/2ee16d2b-56f7-5374-854e-385025401e09", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "2ee16d2b-56f7-5374-854e-385025401e09", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/3725559b-ab90-5aee-a984-2b51350ab33f\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/3725559b-ab90-5aee-a984-2b51350ab33f", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "3725559b-ab90-5aee-a984-2b51350ab33f", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/37876495-ef4c-52ac-b36d-e055ff4f76e0\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/37876495-ef4c-52ac-b36d-e055ff4f76e0", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "37876495-ef4c-52ac-b36d-e055ff4f76e0", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/402f9d83-f4d2-5a26-a709-76fe950f07ac\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/402f9d83-f4d2-5a26-a709-76fe950f07ac", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "402f9d83-f4d2-5a26-a709-76fe950f07ac", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/4ffbcb77-26a7-5c54-9ef4-ad5cf2f17ce3\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/4ffbcb77-26a7-5c54-9ef4-ad5cf2f17ce3", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "4ffbcb77-26a7-5c54-9ef4-ad5cf2f17ce3", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/99c0a2ca-e316-5c3e-95db-0af65668929a\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/99c0a2ca-e316-5c3e-95db-0af65668929a", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "99c0a2ca-e316-5c3e-95db-0af65668929a", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/a6104bde-96e1-5c3d-870b-5a93ca64d5ee\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/a6104bde-96e1-5c3d-870b-5a93ca64d5ee", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "a6104bde-96e1-5c3d-870b-5a93ca64d5ee", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/aaa50899-4789-5c27-88f2-22a461427364\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/aaa50899-4789-5c27-88f2-22a461427364", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "aaa50899-4789-5c27-88f2-22a461427364", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/c23eebdb-8a7e-5427-9699-017e8bca9740\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/c23eebdb-8a7e-5427-9699-017e8bca9740", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "c23eebdb-8a7e-5427-9699-017e8bca9740", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/cff4dc71-46a7-5337-b6f4-77fed0293ff7\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/cff4dc71-46a7-5337-b6f4-77fed0293ff7", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "cff4dc71-46a7-5337-b6f4-77fed0293ff7", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/d1124698-14c2-5894-8eab-417a22e7c3de\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/d1124698-14c2-5894-8eab-417a22e7c3de", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d1124698-14c2-5894-8eab-417a22e7c3de", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/d436f3a0-a085-5ed0-a2a5-e0f48700e6ba\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/d436f3a0-a085-5ed0-a2a5-e0f48700e6ba", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "d436f3a0-a085-5ed0-a2a5-e0f48700e6ba", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/da6355d2-3ea7-5ab4-8996-be7dda68a557\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/da6355d2-3ea7-5ab4-8996-be7dda68a557", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "da6355d2-3ea7-5ab4-8996-be7dda68a557", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/e2b72278-799d-5a0b-a113-0f6fd1e8a9b0\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/e2b72278-799d-5a0b-a113-0f6fd1e8a9b0", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "e2b72278-799d-5a0b-a113-0f6fd1e8a9b0", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/e7b64fb3-e893-54ed-8aea-5bb515fb3511\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/e7b64fb3-e893-54ed-8aea-5bb515fb3511", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "e7b64fb3-e893-54ed-8aea-5bb515fb3511", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/fc6df3bf-566c-5dba-b1c2-1222f8cf3e35\"]", - "mode": "managed", - "type": "azurerm_role_assignment", - "name": "policy_assignment", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/fc6df3bf-566c-5dba-b1c2-1222f8cf3e35", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "condition": null, - "condition_version": null, - "delegated_managed_identity_resource_id": null, - "description": null, - "name": "fc6df3bf-566c-5dba-b1c2-1222f8cf3e35", - "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": {} - }, - { - "address": "module.test_root_id_3.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/7e06ff4f-d4fd-5b0b-8bdc-fb05ba0509f8\"]", - "mode": "managed", - "type": "azurerm_role_definition", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Authorization/roleDefinitions/7e06ff4f-d4fd-5b0b-8bdc-fb05ba0509f8", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 1, - "values": { - "assignable_scopes": [ - "/providers/Microsoft.Management/managementGroups/root-id-3" - ], - "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.", - "name": "[ROOT-ID-3] Network-Subnet-Contributor", - "permissions": [ - { - "actions": [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.ResourceHealth/availabilityStatuses/read", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Support/*", - "Microsoft.Network/*/read", - "Microsoft.Network/virtualNetworks/subnets/*" - ], - "data_actions": null, - "not_actions": [], - "not_data_actions": null - } - ], - "role_definition_id": "7e06ff4f-d4fd-5b0b-8bdc-fb05ba0509f8", - "scope": "/providers/Microsoft.Management/managementGroups/root-id-3", - "timeouts": null - }, - "sensitive_values": { - "assignable_scopes": [ - false - ], - "permissions": [ - { - "actions": [ - false, - false, - false, - false, - false, - false, - false, - false - ], - "not_actions": [] - } - ] - } - }, - { - "address": "module.test_root_id_3.azurerm_subnet.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/AzureFirewallSubnet\"]", - "mode": "managed", - "type": "azurerm_subnet", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/AzureFirewallSubnet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "address_prefixes": [ - "10.100.0.0/24" - ], - "delegation": [], - "enforce_private_link_endpoint_network_policies": false, - "enforce_private_link_service_network_policies": false, - "name": "AzureFirewallSubnet", - "resource_group_name": "root-id-3-connectivity-eastus", - "service_endpoint_policy_ids": null, - "service_endpoints": null, - "timeouts": null, - "virtual_network_name": "root-id-3-hub-eastus" - }, - "sensitive_values": { - "address_prefixes": [ - false - ], - "delegation": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_subnet.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/GatewaySubnet\"]", - "mode": "managed", - "type": "azurerm_subnet", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/GatewaySubnet", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "address_prefixes": [ - "10.100.1.0/24" - ], - "delegation": [], - "enforce_private_link_endpoint_network_policies": false, - "enforce_private_link_service_network_policies": false, - "name": "GatewaySubnet", - "resource_group_name": "root-id-3-connectivity-eastus", - "service_endpoint_policy_ids": null, - "service_endpoints": null, - "timeouts": null, - "virtual_network_name": "root-id-3-hub-eastus" - }, - "sensitive_values": { - "address_prefixes": [ - false - ], - "delegation": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_virtual_network.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus\"]", - "mode": "managed", - "type": "azurerm_virtual_network", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "address_space": [ - "10.100.0.0/16" - ], - "bgp_community": null, - "ddos_protection_plan": [], - "dns_servers": [], - "location": "eastus", - "name": "root-id-3-hub-eastus", - "resource_group_name": "root-id-3-connectivity-eastus", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "vm_protection_enabled": false - }, - "sensitive_values": { - "address_space": [ - false - ], - "ddos_protection_plan": [], - "dns_servers": [], - "subnet": [], - "tags": {} - } - }, - { - "address": "module.test_root_id_3.azurerm_virtual_network_gateway.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworkGateways/root-id-3-ergw-eastus\"]", - "mode": "managed", - "type": "azurerm_virtual_network_gateway", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworkGateways/root-id-3-ergw-eastus", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "active_active": false, - "custom_route": [], - "default_local_network_gateway_id": null, - "enable_bgp": true, - "ip_configuration": [ - { - "name": "root-id-3-ergw-eastus-pip", - "private_ip_address_allocation": "Dynamic", - "public_ip_address_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-ergw-eastus-pip", - "subnet_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/GatewaySubnet" - } - ], - "location": "eastus", - "name": "root-id-3-ergw-eastus", - "private_ip_address_enabled": null, - "resource_group_name": "root-id-3-connectivity-eastus", - "sku": "ErGw2AZ", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "type": "ExpressRoute", - "vpn_client_configuration": [], - "vpn_type": "RouteBased" - }, - "sensitive_values": { - "bgp_settings": [], - "custom_route": [], - "ip_configuration": [ - {} - ], - "tags": {}, - "vpn_client_configuration": [] - } - }, - { - "address": "module.test_root_id_3.azurerm_virtual_network_gateway.connectivity[\"/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworkGateways/root-id-3-vpngw-eastus\"]", - "mode": "managed", - "type": "azurerm_virtual_network_gateway", - "name": "connectivity", - "index": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworkGateways/root-id-3-vpngw-eastus", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "active_active": false, - "custom_route": [], - "default_local_network_gateway_id": null, - "enable_bgp": false, - "ip_configuration": [ - { - "name": "root-id-3-vpngw-eastus-pip", - "private_ip_address_allocation": "Dynamic", - "public_ip_address_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/publicIPAddresses/root-id-3-vpngw-eastus-pip", - "subnet_id": "/subscriptions/2a8527ca-5340-49aa-8931-ea03669451a0/resourceGroups/root-id-3-connectivity-eastus/providers/Microsoft.Network/virtualNetworks/root-id-3-hub-eastus/subnets/GatewaySubnet" - } - ], - "location": "eastus", - "name": "root-id-3-vpngw-eastus", - "private_ip_address_enabled": null, - "resource_group_name": "root-id-3-connectivity-eastus", - "sku": "VpnGw2AZ", - "tags": { - "deployedBy": "terraform/azure/caf-enterprise-scale/tests/deployment" - }, - "timeouts": null, - "type": "Vpn", - "vpn_client_configuration": [], - "vpn_type": "RouteBased" - }, - "sensitive_values": { - "bgp_settings": [], - "custom_route": [], - "ip_configuration": [ - {} - ], - "tags": {}, - "vpn_client_configuration": [] - } - }, - { - "address": "module.test_root_id_3.time_sleep.after_azurerm_management_group", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_management_group", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "120s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-3\"]", - "azurerm_management_group_level_2": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-decommissioned\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones\",\"/providers/Microsoft.Management/managementGroups/root-id-3-platform\",\"/providers/Microsoft.Management/managementGroups/root-id-3-sandboxes\"]", - "azurerm_management_group_level_3": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-connectivity\",\"/providers/Microsoft.Management/managementGroups/root-id-3-corp\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity\",\"/providers/Microsoft.Management/managementGroups/root-id-3-management\",\"/providers/Microsoft.Management/managementGroups/root-id-3-online\",\"/providers/Microsoft.Management/managementGroups/root-id-3-sap\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure\"]", - "azurerm_management_group_level_4": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-web-emea\",\"/providers/Microsoft.Management/managementGroups/root-id-3-web-global\",\"/providers/Microsoft.Management/managementGroups/root-id-3-web-us\"]", - "azurerm_management_group_level_5": "[]", - "azurerm_management_group_level_6": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3.time_sleep.after_azurerm_policy_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\",\"/providers/Microsoft.Management/managementGroups/root-id-3-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\",\"/providers/Microsoft.Management/managementGroups/root-id-3-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3.time_sleep.after_azurerm_policy_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3.time_sleep.after_azurerm_policy_set_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_set_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_set_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3.time_sleep.after_azurerm_role_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_policy_assignment_enterprise_scale": "[]", - "azurerm_policy_assignment_policy_assignment": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-connectivity/providers/Microsoft.Authorization/roleAssignments/e8de8c60-f28e-58af-9f88-558d76b24b83\",\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/0e1d0115-c48b-58ac-814d-c978e0c40fac\",\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/79ed60b3-ef94-58fd-b3cd-41b8228c05b5\",\"/providers/Microsoft.Management/managementGroups/root-id-3-corp/providers/Microsoft.Authorization/roleAssignments/d3e75b61-d41e-5648-b823-dba81181fc63\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/roleAssignments/30f6bbd5-1448-55dc-a337-8cc36c6f5225\",\"/providers/Microsoft.Management/managementGroups/root-id-3-identity/providers/Microsoft.Authorization/roleAssignments/8735df8c-5968-5f1b-8146-568a0840ac84\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/4d4eb338-cb10-5c88-8f39-7223c52cda6f\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/57f831b9-e928-5b5b-ac1c-90d0245f7674\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/8483318a-a506-576e-8a04-c38d47cb6661\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/c8e0494e-62ca-5af3-8612-e471f990af7d\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/ca13bdd6-0544-5b4f-b0f8-934a85749f0c\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/de602d23-3a0e-534f-8c96-e23d7553dbb7\",\"/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones/providers/Microsoft.Authorization/roleAssignments/e05bccb4-cf3d-5491-af76-cdac3c09cbe7\",\"/providers/Microsoft.Management/managementGroups/root-id-3-management/providers/Microsoft.Authorization/roleAssignments/b33c95fa-f602-5435-acb3-f9f77e34f0b7\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/0709bcc0-3a5c-5bd5-b76b-1aa4cd92e9e8\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/0aff3c41-09e3-515a-b544-494b967e15af\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/34fc74e5-ba64-5ee8-9e8d-cff7c6800938\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/ae6da3ae-362a-54ee-a361-23403bcf2f2d\",\"/providers/Microsoft.Management/managementGroups/root-id-3-secure/providers/Microsoft.Authorization/roleAssignments/d8a7b519-56e2-5c8c-b094-1f7891301042\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/1fbd1ef4-e707-50aa-b735-b435bfbb0f75\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/2a0b3092-70a8-5efc-90e4-9ce8b48ae9d2\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/2ee16d2b-56f7-5374-854e-385025401e09\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/3725559b-ab90-5aee-a984-2b51350ab33f\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/37876495-ef4c-52ac-b36d-e055ff4f76e0\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/402f9d83-f4d2-5a26-a709-76fe950f07ac\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/4ffbcb77-26a7-5c54-9ef4-ad5cf2f17ce3\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/99c0a2ca-e316-5c3e-95db-0af65668929a\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/a6104bde-96e1-5c3d-870b-5a93ca64d5ee\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/aaa50899-4789-5c27-88f2-22a461427364\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/c23eebdb-8a7e-5427-9699-017e8bca9740\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/cff4dc71-46a7-5337-b6f4-77fed0293ff7\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/d1124698-14c2-5894-8eab-417a22e7c3de\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/d436f3a0-a085-5ed0-a2a5-e0f48700e6ba\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/da6355d2-3ea7-5ab4-8996-be7dda68a557\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/e2b72278-799d-5a0b-a113-0f6fd1e8a9b0\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/e7b64fb3-e893-54ed-8aea-5bb515fb3511\",\"/providers/Microsoft.Management/managementGroups/root-id-3/providers/Microsoft.Authorization/roleAssignments/fc6df3bf-566c-5dba-b1c2-1222f8cf3e35\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3.time_sleep.after_azurerm_role_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_role_definition_enterprise_scale": "[\"/providers/Microsoft.Authorization/roleDefinitions/7e06ff4f-d4fd-5b0b-8bdc-fb05ba0509f8\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - } - ], - "address": "module.test_root_id_3" - }, - { - "resources": [ - { - "address": "module.test_root_id_3_lz1.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1\"]", - "mode": "managed", - "type": "azurerm_management_group", - "name": "level_1", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "display_name": "Scoped LZ1", - "name": "root-id-3-scoped-lz1", - "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-landing-zones", - "timeouts": null - }, - "sensitive_values": { - "subscription_ids": [] - } - }, - { - "address": "module.test_root_id_3_lz1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", - "display_name": "Limit allowed locations for Resource Groups", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1", - "name": "Deny-RSG-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3_lz1.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", - "mode": "managed", - "type": "azurerm_management_group_policy_assignment", - "name": "enterprise_scale", - "index": "/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "schema_version": 0, - "values": { - "description": "Specifies the allowed locations (regions) where Resources can be deployed.", - "display_name": "Limit allowed locations for Resources", - "enforce": true, - "identity": [], - "location": "eastus", - "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1", - "name": "Deny-Resource-Locations", - "not_scopes": [], - "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northcentralus\",\"southcentralus\"]}}", - "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "timeouts": null - }, - "sensitive_values": { - "identity": [], - "not_scopes": [] - } - }, - { - "address": "module.test_root_id_3_lz1.time_sleep.after_azurerm_management_group", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_management_group", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "120s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1\"]", - "azurerm_management_group_level_2": "[]", - "azurerm_management_group_level_3": "[]", - "azurerm_management_group_level_4": "[]", - "azurerm_management_group_level_5": "[]", - "azurerm_management_group_level_6": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3_lz1.time_sleep.after_azurerm_policy_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "triggers": { - "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-3-scoped-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3_lz1.time_sleep.after_azurerm_policy_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "id": "2022-02-22T07:32:00Z", - "triggers": { - "azurerm_policy_definition_enterprise_scale": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3_lz1.time_sleep.after_azurerm_policy_set_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_policy_set_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "id": "2022-02-22T07:32:31Z", - "triggers": { - "azurerm_policy_set_definition_enterprise_scale": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3_lz1.time_sleep.after_azurerm_role_assignment", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_assignment", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "id": "2022-02-22T07:42:16Z", - "triggers": { - "azurerm_policy_assignment_enterprise_scale": "[]", - "azurerm_policy_assignment_policy_assignment": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - }, - { - "address": "module.test_root_id_3_lz1.time_sleep.after_azurerm_role_definition", - "mode": "managed", - "type": "time_sleep", - "name": "after_azurerm_role_definition", - "provider_name": "registry.terraform.io/hashicorp/time", - "schema_version": 0, - "values": { - "create_duration": "30s", - "destroy_duration": "0s", - "id": "2022-02-22T07:32:00Z", - "triggers": { - "azurerm_role_definition_enterprise_scale": "[]" - } - }, - "sensitive_values": { - "triggers": {} - } - } - ], - "address": "module.test_root_id_3_lz1" - } - ] -} diff --git a/tests/deployment/settings.shared.tf b/tests/deployment/settings.shared.tf deleted file mode 100644 index 460653cb..00000000 --- a/tests/deployment/settings.shared.tf +++ /dev/null @@ -1,6 +0,0 @@ -# Configure shared settings. -locals { - default_tags = { - deployedBy = "terraform/azure/caf-enterprise-scale/tests/deployment" - } -} diff --git a/tests/modules/settings/outputs.tf b/tests/modules/settings/outputs.tf new file mode 100644 index 00000000..9f01aeae --- /dev/null +++ b/tests/modules/settings/outputs.tf @@ -0,0 +1,32 @@ +output "connectivity" { + value = { + configure_connectivity_resources = local.configure_connectivity_resources + } +} + +output "core" { + value = { + custom_landing_zones = local.custom_landing_zones + archetype_config_overrides = local.archetype_config_overrides + subscription_id_overrides = local.subscription_id_overrides + custom_template_file_variables = local.custom_template_file_variables + } +} + +output "management" { + value = { + configure_management_resources = local.configure_management_resources + } +} + +output "nested" { + value = { + custom_landing_zones = local.nested_custom_landing_zones + } +} + +output "shared" { + value = { + default_tags = local.default_tags + } +} diff --git a/tests/deployment/settings.connectivity.tf b/tests/modules/settings/settings.connectivity.tf similarity index 55% rename from tests/deployment/settings.connectivity.tf rename to tests/modules/settings/settings.connectivity.tf index 51f269cf..78900e68 100644 --- a/tests/deployment/settings.connectivity.tf +++ b/tests/modules/settings/settings.connectivity.tf @@ -6,8 +6,8 @@ locals { { enabled = true config = { - address_space = ["10.100.0.0/16", ] - location = var.location + address_space = ["10.100.0.0/22", ] + location = var.primary_location link_to_ddos_protection_plan = false dns_servers = [] bgp_community = "" @@ -16,8 +16,8 @@ locals { enabled = true config = { address_prefix = "10.100.1.0/24" - gateway_sku_expressroute = "ErGw2AZ" - gateway_sku_vpn = "VpnGw2AZ" + gateway_sku_expressroute = "ErGw1AZ" + gateway_sku_vpn = "VpnGw1AZ" } } azure_firewall = { @@ -36,8 +36,106 @@ locals { enable_outbound_virtual_network_peering = false } }, + { + enabled = true + config = { + address_space = ["10.101.0.0/22", ] + location = var.secondary_location + link_to_ddos_protection_plan = false + dns_servers = [] + bgp_community = "" + subnets = [] + virtual_network_gateway = { + enabled = false + config = { + address_prefix = "10.101.1.0/24" + gateway_sku_expressroute = "ErGw1AZ" + gateway_sku_vpn = "VpnGw1AZ" + } + } + azure_firewall = { + enabled = false + config = { + address_prefix = "10.101.0.0/24" + enable_dns_proxy = true + availability_zones = { + zone_1 = true + zone_2 = true + zone_3 = true + } + } + } + spoke_virtual_network_resource_ids = [] + enable_outbound_virtual_network_peering = false + } + }, + ] + vwan_hub_networks = [ + { + enabled = true + config = { + address_prefix = "10.200.0.0/22" + location = var.primary_location + sku = "" + routes = [] + expressroute_gateway = { + enabled = true + config = { + scale_unit = 1 + } + } + vpn_gateway = { + enabled = true + config = { + bgp_settings = [] + routing_preference = "" + scale_unit = 1 + } + } + azure_firewall = { + enabled = true + config = { + enable_dns_proxy = false + sku_tier = "Standard" + } + } + spoke_virtual_network_resource_ids = [] + enable_virtual_hub_connections = true + } + }, + { + enabled = true + config = { + address_prefix = "10.201.0.0/22" + location = var.secondary_location + sku = "" + routes = [] + expressroute_gateway = { + enabled = false + config = { + scale_unit = 1 + } + } + vpn_gateway = { + enabled = false + config = { + bgp_settings = [] + routing_preference = "" + scale_unit = 1 + } + } + azure_firewall = { + enabled = false + config = { + enable_dns_proxy = false + sku_tier = "Standard" + } + } + spoke_virtual_network_resource_ids = [] + enable_virtual_hub_connections = true + } + }, ] - vwan_hub_networks = [] ddos_protection_plan = { enabled = false config = { diff --git a/tests/deployment/settings.core.tf b/tests/modules/settings/settings.core.tf similarity index 90% rename from tests/deployment/settings.core.tf rename to tests/modules/settings/settings.core.tf index 0648ac6e..33d65c61 100644 --- a/tests/deployment/settings.core.tf +++ b/tests/modules/settings/settings.core.tf @@ -2,9 +2,9 @@ # addition the core resource hierarchy. locals { custom_landing_zones = { - "${var.root_id_3}-secure" = { + "${var.root_id}-secure" = { display_name = "Secure Workloads (HITRUST/HIPAA)" - parent_management_group_id = "${var.root_id_3}-landing-zones" + parent_management_group_id = "${var.root_id}-landing-zones" subscription_ids = [] archetype_config = { archetype_id = "customer_secure" @@ -23,8 +23,8 @@ locals { } Deploy-HITRUST-HIPAA = { CertificateThumbprints = "" - DeployDiagnosticSettingsforNetworkSecurityGroupsrgName = "${var.root_id_3}-rg" - DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix = var.root_id_3 + DeployDiagnosticSettingsforNetworkSecurityGroupsrgName = "${var.root_id}-rg" + DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix = var.root_id installedApplicationsOnWindowsVM = "" listOfLocations = [ "eastus", @@ -34,9 +34,9 @@ locals { access_control = {} } } - "${var.root_id_3}-web-global" = { + "${var.root_id}-web-global" = { display_name = "Global Web Applications" - parent_management_group_id = "${var.root_id_3}-online" + parent_management_group_id = "${var.root_id}-online" subscription_ids = [] archetype_config = { archetype_id = "default_empty" @@ -44,9 +44,9 @@ locals { access_control = {} } } - "${var.root_id_3}-web-us" = { + "${var.root_id}-web-us" = { display_name = "US Web Applications" - parent_management_group_id = "${var.root_id_3}-online" + parent_management_group_id = "${var.root_id}-online" subscription_ids = [] archetype_config = { archetype_id = "customer_online" @@ -67,9 +67,9 @@ locals { access_control = {} } } - "${var.root_id_3}-web-emea" = { + "${var.root_id}-web-emea" = { display_name = "EMEA Web Applications" - parent_management_group_id = "${var.root_id_3}-online" + parent_management_group_id = "${var.root_id}-online" subscription_ids = [] archetype_config = { archetype_id = "customer_online" @@ -129,8 +129,8 @@ locals { } Deploy-HITRUST-HIPAA = { CertificateThumbprints = "" - DeployDiagnosticSettingsforNetworkSecurityGroupsrgName = "${var.root_id_3}-rg" - DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix = var.root_id_3 + DeployDiagnosticSettingsforNetworkSecurityGroupsrgName = "${var.root_id}-rg" + DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix = var.root_id installedApplicationsOnWindowsVM = "" listOfLocations = [ "eastus", diff --git a/tests/deployment/settings.management.tf b/tests/modules/settings/settings.management.tf similarity index 92% rename from tests/deployment/settings.management.tf rename to tests/modules/settings/settings.management.tf index 7a9a64cc..ce8e6627 100644 --- a/tests/deployment/settings.management.tf +++ b/tests/modules/settings/settings.management.tf @@ -23,7 +23,7 @@ locals { security_center = { enabled = true config = { - email_security_contact = "test.user@replace_me" + email_security_contact = var.email_security_contact enable_defender_for_app_services = true enable_defender_for_arm = true enable_defender_for_containers = true @@ -40,7 +40,7 @@ locals { location = null tags = { - deployedBy = "terraform/azure/caf-enterprise-scale" + deployedBy = "${local.default_tags.deployedBy}/management" } advanced = null } diff --git a/tests/modules/settings/settings.nested.tf b/tests/modules/settings/settings.nested.tf new file mode 100644 index 00000000..a6295ec0 --- /dev/null +++ b/tests/modules/settings/settings.nested.tf @@ -0,0 +1,21 @@ +locals { + nested_custom_landing_zones = { + "${var.root_id}-custom-lz1" = { + display_name = "Nested Custom LZ1" + parent_management_group_id = "${var.root_id}-landing-zones" + subscription_ids = [] + archetype_config = { + archetype_id = "customer_online" + parameters = { + Deny-Resource-Locations = { + listOfAllowedLocations = [ + "northcentralus", + "southcentralus", + ] + } + } + access_control = {} + } + } + } +} diff --git a/tests/modules/settings/settings.shared.tf b/tests/modules/settings/settings.shared.tf new file mode 100644 index 00000000..b9b2b3ce --- /dev/null +++ b/tests/modules/settings/settings.shared.tf @@ -0,0 +1,6 @@ +# Configure shared settings. +locals { + default_tags = { + deployedBy = "terraform/azure/caf-enterprise-scale/test_framework" + } +} diff --git a/tests/modules/settings/variables.tf b/tests/modules/settings/variables.tf new file mode 100644 index 00000000..58e4da38 --- /dev/null +++ b/tests/modules/settings/variables.tf @@ -0,0 +1,19 @@ +variable "root_id" { + type = string + default = "test" +} + +variable "primary_location" { + type = string + default = "northeurope" +} + +variable "secondary_location" { + type = string + default = "westeurope" +} + +variable "email_security_contact" { + type = string + default = "test.user@replace_me" +} diff --git a/tests/modules/test_001_baseline/client_config.tf b/tests/modules/test_001_baseline/client_config.tf new file mode 100644 index 00000000..82c49b84 --- /dev/null +++ b/tests/modules/test_001_baseline/client_config.tf @@ -0,0 +1,7 @@ +data "azurerm_client_config" "connectivity" { + provider = azurerm.connectivity +} + +data "azurerm_client_config" "management" { + provider = azurerm.management +} diff --git a/tests/modules/test_001_baseline/main.tf b/tests/modules/test_001_baseline/main.tf new file mode 100644 index 00000000..ff0031f5 --- /dev/null +++ b/tests/modules/test_001_baseline/main.tf @@ -0,0 +1,21 @@ +module "test_core" { + source = "../../../" + + providers = { + azurerm = azurerm.management + azurerm.connectivity = azurerm.connectivity + azurerm.management = azurerm.management + } + + # Base module configuration settings + root_parent_id = data.azurerm_client_config.management.tenant_id + root_id = var.root_id + root_name = var.root_name + default_location = var.primary_location + default_tags = module.settings.shared.default_tags + + # Tuning delay timers to improve pipeline completion success rate + create_duration_delay = var.create_duration_delay + destroy_duration_delay = var.destroy_duration_delay + +} diff --git a/tests/deployment/outputs.tf b/tests/modules/test_001_baseline/outputs.tf similarity index 72% rename from tests/deployment/outputs.tf rename to tests/modules/test_001_baseline/outputs.tf index 9172e0ec..69ef5b8a 100644 --- a/tests/deployment/outputs.tf +++ b/tests/modules/test_001_baseline/outputs.tf @@ -6,10 +6,7 @@ output "resource_ids" { value = { for module_name, module_output in { - test_root_id_1 = module.test_root_id_1 - test_root_id_2 = module.test_root_id_2 - test_root_id_3 = module.test_root_id_3 - test_root_id_3_lz1 = module.test_root_id_3_lz1 + test_core = module.test_core } : module_name => { for resource_type, resource_instances in module_output : diff --git a/tests/modules/test_001_baseline/planned_values.json b/tests/modules/test_001_baseline/planned_values.json new file mode 100644 index 00000000..1e387f32 --- /dev/null +++ b/tests/modules/test_001_baseline/planned_values.json @@ -0,0 +1,5374 @@ +{ + "child_modules": [ + { + "resources": [ + { + "address": "module.test_core.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_1", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "root-name", + "name": "root-id-1", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/dac8feee-8768-4fbd-9cf9-9d96d4718018", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Decommissioned", + "name": "root-id-1-decommissioned", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Landing Zones", + "name": "root-id-1-landing-zones", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Platform", + "name": "root-id-1-platform", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Sandboxes", + "name": "root-id-1-sandboxes", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Connectivity", + "name": "root-id-1-connectivity", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Identity", + "name": "root-id-1-identity", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-management\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Management", + "name": "root-id-1-management", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "name": "Enable-DDoS-VNET", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-northeurope\"},\"effect\":{\"value\":\"Modify\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "display_name": "Deny the creation of public IP", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-Public-IP", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "display_name": "RDP access from the Internet should be blocked", + "enforce": false, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-RDP-From-Internet", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "display_name": "Subnets should have a Network Security Group", + "enforce": false, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-Subnet-Without-Nsg", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deploy-VM-Backup", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deployIfNotExists\"},\"exclusionTagName\":{\"value\":\"\"},\"exclusionTagValue\":{\"value\":[]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "display_name": "Network interfaces should disable IP forwarding", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-IP-Forwarding", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes cluster should not allow privileged containers", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Priv-Containers-AKS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes clusters should not allow container privilege escalation", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Priv-Escalation-AKS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "display_name": "RDP access from the Internet should be blocked", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-RDP-From-Internet", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "display_name": "Secure transfer to storage accounts should be enabled", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Storage-http", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "display_name": "Subnets should have a Network Security Group", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Subnet-Without-Nsg", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "display_name": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-AKS-Policy", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "display_name": "Auditing on SQL server should be enabled", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-SQL-DB-Auditing", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "display_name": "Deploy Threat Detection on SQL servers", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-SQL-Threat", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-VM-Backup", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enable-DDoS-VNET", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-northeurope\"},\"effect\":{\"value\":\"Modify\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes clusters should be accessible only over HTTPS", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enforce-AKS-HTTPS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enforce-TLS-SSL", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy-Log-Analytics.", + "display_name": "Deploy-Log-Analytics", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "name": "Deploy-Log-Analytics", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"automationAccountName\":{\"value\":\"root-id-1-automation\"},\"automationRegion\":{\"value\":\"northeurope\"},\"dataRetention\":{\"value\":\"30\"},\"effect\":{\"value\":\"DeployIfNotExists\"},\"rgName\":{\"value\":\"root-id-1-mgmt\"},\"sku\":{\"value\":\"pergb2018\"},\"workspaceName\":{\"value\":\"root-id-1-la\"},\"workspaceRegion\":{\"value\":\"northeurope\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Monitoring in Azure Security Center.", + "display_name": "Enable Monitoring in Azure Security Center", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-ASC-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"aadAuthenticationInSqlServerMonitoringEffect\":{\"value\":\"Disabled\"},\"diskEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"encryptionOfAutomationAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateLessThanOwnersMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateMoreThanOneOwnerMonitoringEffect\":{\"value\":\"Disabled\"},\"identityEnableMFAForWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"jitNetworkAccessMonitoringEffect\":{\"value\":\"Disabled\"},\"networkSecurityGroupsOnSubnetsMonitoringEffect\":{\"value\":\"AuditIfNotExists\"},\"sqlDbEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityMonitoringEffect\":{\"value\":\"Disabled\"},\"systemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"useRbacRulesMonitoringEffect\":{\"value\":\"Disabled\"},\"vmssSystemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"windowsDefenderExploitGuardMonitoringEffect\":{\"value\":\"Disabled\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", + "display_name": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-AzActivity-Log", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy-Linux-Arc-Monitoring.", + "display_name": "Deploy-Linux-Arc-Monitoring", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-LX-Arc-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Microsoft Defender for Cloud and Security Contacts", + "display_name": "Deploy Microsoft Defender for Cloud configuration", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-MDFC-Config", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ascExportResourceGroupLocation\":{\"value\":\"northeurope\"},\"ascExportResourceGroupName\":{\"value\":\"root-id-1-asc-export\"},\"emailSecurityContact\":{\"value\":\"security_contact@replace_me\"},\"enableAscForAppServices\":{\"value\":\"DeployIfNotExists\"},\"enableAscForArm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForContainers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForDns\":{\"value\":\"DeployIfNotExists\"},\"enableAscForKeyVault\":{\"value\":\"DeployIfNotExists\"},\"enableAscForOssDb\":{\"value\":\"DeployIfNotExists\"},\"enableAscForServers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSql\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSqlOnVm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForStorage\":{\"value\":\"DeployIfNotExists\"},\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "display_name": "Deploy-Resource-Diag", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-Resource-Diag", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "display_name": "Enable Azure Monitor for VMs", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-VM-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "display_name": "Enable Azure Monitor for Virtual Machine Scale Sets", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-VMSS-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "display_name": "Deploy-Windows-Arc-Monitoring", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-WS-Arc-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "display_name": "AppService append enable https only setting to enforce https setting.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Append-AppService-httpsonly", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"notequals\":true}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"value\":true}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "display_name": "AppService append sites with minimum TLS version to enforce.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Append-AppService-latestTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"Select version minimum TLS Web App config\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites/config\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"notEquals\":\"[parameters('minTlsVersion')]\"}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"value\":\"[parameters('minTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "display_name": "KeyVault SoftDelete should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Key Vault\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-KV-SoftDelete", + "parameters": null, + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.KeyVault/vaults\",\"field\":\"type\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"notEquals\":true}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"value\":true}],\"effect\":\"append\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-Redis-disableNonSslPort", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\",\"Modify\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"value\":false}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-Redis-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Cache for Redis to enforce\",\"displayName\":\"Select version for Redis server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"value\":\"[parameters('minimumTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "display_name": "Control private endpoint connections to Azure Machine Learning", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Audit-MachineLearning-PrivateEndpointId", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\",\"field\":\"type\"},{\"equals\":\"Approved\",\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\"},{\"notEquals\":\"[subscription().subscriptionId]\",\"value\":\"[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of child resources on the Automation Account", + "display_name": "No child resources in Automation Account", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Automation\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AA-child-resources", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Automation/automationAccounts/runbooks\",\"Microsoft.Automation/automationAccounts/variables\",\"Microsoft.Automation/automationAccounts/modules\",\"Microsoft.Automation/automationAccounts/credentials\",\"Microsoft.Automation/automationAccounts/connections\",\"Microsoft.Automation/automationAccounts/certificates\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "display_name": "Application Gateway should be deployed with WAF enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppGW-Without-WAF", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/applicationGateways/sku.name\",\"notequals\":\"WAF_v2\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "API App should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceApiApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "Function App should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceFunctionApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "Web Application should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceWebApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "display_name": "Deny public IPs for Databricks cluster", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-NoPublicIp", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\"notEquals\":true}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "display_name": "Deny non-premium Databricks sku", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-Sku", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/sku.name\",\"notEquals\":\"premium\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "display_name": "Deny Databricks workspaces without Vnet injection", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-VirtualNetwork", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "display_name": "Deny AKS cluster creation in Azure Machine Learning", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Aks", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AKS\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/resourceId\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "display_name": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Compute-SubnetId", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "display_name": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Compute-VmSize", + "parameters": "{\"allowedVmSizes\":{\"defaultValue\":[\"Standard_D1_v2\",\"Standard_D2_v2\",\"Standard_D3_v2\",\"Standard_D4_v2\",\"Standard_D11_v2\",\"Standard_D12_v2\",\"Standard_D13_v2\",\"Standard_D14_v2\",\"Standard_DS1_v2\",\"Standard_DS2_v2\",\"Standard_DS3_v2\",\"Standard_DS4_v2\",\"Standard_DS5_v2\",\"Standard_DS11_v2\",\"Standard_DS12_v2\",\"Standard_DS13_v2\",\"Standard_DS14_v2\",\"Standard_M8-2ms\",\"Standard_M8-4ms\",\"Standard_M8ms\",\"Standard_M16-4ms\",\"Standard_M16-8ms\",\"Standard_M16ms\",\"Standard_M32-8ms\",\"Standard_M32-16ms\",\"Standard_M32ls\",\"Standard_M32ms\",\"Standard_M32ts\",\"Standard_M64-16ms\",\"Standard_M64-32ms\",\"Standard_M64ls\",\"Standard_M64ms\",\"Standard_M64s\",\"Standard_M128-32ms\",\"Standard_M128-64ms\",\"Standard_M128ms\",\"Standard_M128s\",\"Standard_M64\",\"Standard_M64m\",\"Standard_M128\",\"Standard_M128m\",\"Standard_D1\",\"Standard_D2\",\"Standard_D3\",\"Standard_D4\",\"Standard_D11\",\"Standard_D12\",\"Standard_D13\",\"Standard_D14\",\"Standard_DS15_v2\",\"Standard_NV6\",\"Standard_NV12\",\"Standard_NV24\",\"Standard_F2s_v2\",\"Standard_F4s_v2\",\"Standard_F8s_v2\",\"Standard_F16s_v2\",\"Standard_F32s_v2\",\"Standard_F64s_v2\",\"Standard_F72s_v2\",\"Standard_NC6s_v3\",\"Standard_NC12s_v3\",\"Standard_NC24rs_v3\",\"Standard_NC24s_v3\",\"Standard_NC6\",\"Standard_NC12\",\"Standard_NC24\",\"Standard_NC24r\",\"Standard_ND6s\",\"Standard_ND12s\",\"Standard_ND24rs\",\"Standard_ND24s\",\"Standard_NC6s_v2\",\"Standard_NC12s_v2\",\"Standard_NC24rs_v2\",\"Standard_NC24s_v2\",\"Standard_ND40rs_v2\",\"Standard_NV12s_v3\",\"Standard_NV24s_v3\",\"Standard_NV48s_v3\"],\"metadata\":{\"description\":\"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\",\"displayName\":\"Allowed VM Sizes for Aml Compute Clusters and Instances\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\"notIn\":\"[parameters('allowedVmSizes')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "display_name": "Deny public access of Azure Machine Learning clusters via SSH", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\"notEquals\":\"Disabled\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "display_name": "Enforce scale settings for Azure Machine Learning compute clusters", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"maxNodeCount\":{\"defaultValue\":10,\"metadata\":{\"description\":\"Specifies the maximum node count of AML Clusters\",\"displayName\":\"Maximum Node Count\"},\"type\":\"Integer\"},\"maxNodeIdleTimeInSecondsBeforeScaleDown\":{\"defaultValue\":900,\"metadata\":{\"description\":\"Specifies the maximum node idle time in seconds before scaledown\",\"displayName\":\"Maximum Node Idle Time in Seconds Before Scaledown\"},\"type\":\"Integer\"},\"minNodeCount\":{\"defaultValue\":0,\"metadata\":{\"description\":\"Specifies the minimum node count of AML Clusters\",\"displayName\":\"Minimum Node Count\"},\"type\":\"Integer\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\"greater\":\"[parameters('maxNodeCount')]\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\"greater\":\"[parameters('minNodeCount')]\"},{\"greater\":\"[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\",\"value\":\"[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "display_name": "Enforces high business impact Azure Machine Learning Workspaces", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-HbiWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\"notEquals\":true}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "display_name": "Deny public acces behind vnet to Azure Machine Learning workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\"notEquals\":false}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Denies public network access for Azure Machine Learning workspaces.", + "display_name": "Azure Machine Learning should have disabled public network access", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-PublicNetworkAccess", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\"notEquals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "MySQL database servers enforce SSL connections.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MySql-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "PostgreSQL database servers enforce SSL connection.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.1\"}", + "mode": "Indexed", + "name": "Deny-PostgreSql-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "display_name": "Deny the creation of private DNS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Private-DNS-Zones", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/privateDnsZones\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "display_name": "Public network access should be disabled for MariaDB", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-PublicEndpoint-MariaDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\"notequals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "display_name": "Deny the creation of public IP", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-PublicIP", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/publicIPAddresses\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet", + "display_name": "RDP access from the Internet should be blocked", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deny-RDP-From-Internet", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\",\"field\":\"type\"},{\"allOf\":[{\"equals\":\"Allow\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\"},{\"equals\":\"Inbound\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\"},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"3389\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"true\",\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"equals\":\"true\",\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"equals\":\"Internet\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "display_name": "Azure Cache for Redis only secure connections should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Redis-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select minimum TLS version for Azure Cache for Redis.\",\"displayName\":\"Select minumum TLS version for Azure Cache for Redis.\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"},{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "display_name": "Azure SQL Database should have the minimal TLS version set to the highest version", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Sql-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "display_name": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-SqlMi-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "display_name": "Storage Account set to minumum TLS and Secure transfer should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Storage-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"allOf\":[{\"less\":\"2019-04-01\",\"value\":\"[requestContext().apiVersion]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "display_name": "Subnets should have a Network Security Group", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", + "mode": "All", + "name": "Deny-Subnet-Without-Nsg", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"GatewaySubnet\",\"AzureFirewallSubnet\",\"AzureFirewallManagementSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "display_name": "Subnets should have a User Defined Route", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", + "mode": "All", + "name": "Deny-Subnet-Without-Udr", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"AzureBastionSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/routeTable.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "display_name": "Deny vNet peering cross subscription.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", + "mode": "All", + "name": "Deny-VNET-Peer-Cross-Sub", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\"notcontains\":\"[subscription().id]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "display_name": "Deny vNet peering ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", + "mode": "All", + "name": "Deny-VNet-Peering", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Azure Security Center Security Contacts", + "display_name": "Deploy Azure Security Center Security Contacts", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Security Center\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-ASC-SecurityContacts", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Azure Security Center contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"emailSecurityContact\":{\"metadata\":{\"description\":\"Security contacts email address\"},\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2020-01-01-preview\",\"name\":\"default\",\"properties\":{\"alertNotifications\":{\"minimalSeverity\":\"High\",\"state\":\"On\"},\"emails\":\"[parameters('emailSecurityContact')]\",\"notificationsByRole\":{\"roles\":[\"Owner\"],\"state\":\"On\"}},\"type\":\"Microsoft.Security/securityContacts\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"contains\":\"[parameters('emailSecurityContact')]\",\"field\":\"Microsoft.Security/securityContacts/email\"},{\"equals\":\"Microsoft.Security/securityContacts\",\"field\":\"type\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertNotifications\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"type\":\"Microsoft.Security/securityContacts\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "display_name": "Deploy a default budget on all subscriptions under the assigned scope", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.1.0\"}", + "mode": "All", + "name": "Deploy-Budget", + "parameters": "{\"amount\":{\"defaultValue\":\"1000\",\"metadata\":{\"description\":\"The total amount of cost or usage to track with the budget\"},\"type\":\"String\"},\"budgetName\":{\"defaultValue\":\"budget-set-by-policy\",\"metadata\":{\"description\":\"The name for the budget to be created\"},\"type\":\"String\"},\"contactEmails\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"contactGroups\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"},\"type\":\"Array\"},\"contactRoles\":{\"defaultValue\":[\"Owner\",\"Contributor\"],\"metadata\":{\"description\":\"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\"},\"type\":\"String\"},\"firstThreshold\":{\"defaultValue\":\"90\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"secondThreshold\":{\"defaultValue\":\"100\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"timeGrain\":{\"allowedValues\":[\"Monthly\",\"Quarterly\",\"Annually\",\"BillingMonth\",\"BillingQuarter\",\"BillingAnnual\"],\"defaultValue\":\"Monthly\",\"metadata\":{\"description\":\"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"amount\":{\"value\":\"[parameters('amount')]\"},\"budgetName\":{\"value\":\"[parameters('budgetName')]\"},\"contactEmails\":{\"value\":\"[parameters('contactEmails')]\"},\"contactGroups\":{\"value\":\"[parameters('contactGroups')]\"},\"contactRoles\":{\"value\":\"[parameters('contactRoles')]\"},\"firstThreshold\":{\"value\":\"[parameters('firstThreshold')]\"},\"secondThreshold\":{\"value\":\"[parameters('secondThreshold')]\"},\"timeGrain\":{\"value\":\"[parameters('timeGrain')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"amount\":{\"type\":\"String\"},\"budgetName\":{\"type\":\"String\"},\"contactEmails\":{\"type\":\"Array\"},\"contactGroups\":{\"type\":\"Array\"},\"contactRoles\":{\"type\":\"Array\"},\"firstThreshold\":{\"type\":\"String\"},\"secondThreshold\":{\"type\":\"String\"},\"startDate\":{\"defaultValue\":\"[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\",\"type\":\"String\"},\"timeGrain\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[parameters('budgetName')]\",\"properties\":{\"amount\":\"[parameters('amount')]\",\"category\":\"Cost\",\"notifications\":{\"NotificationForExceededBudget1\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('firstThreshold')]\"},\"NotificationForExceededBudget2\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('secondThreshold')]\"}},\"timeGrain\":\"[parameters('timeGrain')]\",\"timePeriod\":{\"startDate\":\"[parameters('startDate')]\"}},\"type\":\"Microsoft.Consumption/budgets\"}]}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('amount')]\",\"field\":\"Microsoft.Consumption/budgets/amount\"},{\"equals\":\"[parameters('timeGrain')]\",\"field\":\"Microsoft.Consumption/budgets/timeGrain\"},{\"equals\":\"Cost\",\"field\":\"Microsoft.Consumption/budgets/category\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Consumption/budgets\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "display_name": "Deploy a route table with specific user defined routes", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Custom-Route-Table", + "parameters": "{\"disableBgpPropagation\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Disable BGP Propagation\",\"displayName\":\"DisableBgpPropagation\"},\"type\":\"Boolean\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"requiredRoutes\":{\"metadata\":{\"description\":\"Routes that must exist in compliant route tables deployed by this policy\",\"displayName\":\"requiredRoutes\"},\"type\":\"Array\"},\"routeTableName\":{\"metadata\":{\"description\":\"Name of the route table automatically deployed by this policy\",\"displayName\":\"routeTableName\"},\"type\":\"String\"},\"vnetRegion\":{\"metadata\":{\"description\":\"Only VNets in this region will be evaluated against this policy\",\"displayName\":\"vnetRegion\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"equals\":\"[parameters('vnetRegion')]\",\"field\":\"location\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"name\":\"routeTableDepl\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"location\":\"[[parameters('vnetRegion')]\",\"name\":\"[[parameters('routeTableName')]\",\"properties\":{\"copy\":\"[variables('copyLoop')]\",\"disableBgpRoutePropagation\":\"[[parameters('disableBgpPropagation')]\"},\"type\":\"Microsoft.Network/routeTables\"}]}},\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"copyLoop\":[{\"count\":\"[[length(parameters('requiredRoutes'))]\",\"input\":{\"name\":\"[[concat('route-',copyIndex('routes'))]\",\"properties\":{\"addressPrefix\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\"nextHopIpAddress\":\"[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\",\"nextHopType\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\"}},\"name\":\"routes\"}]}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('routeTableName')]\",\"field\":\"name\"},{\"count\":{\"field\":\"Microsoft.Network/routeTables/routes[*]\",\"where\":{\"in\":\"[parameters('requiredRoutes')]\",\"value\":\"[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\"}},\"equals\":\"[length(parameters('requiredRoutes'))]\"}]},\"roleDefinitionIds\":[\"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/routeTables\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys an Azure DDoS Protection Standard plan", + "display_name": "Deploy an Azure DDoS Protection Standard plan", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-DDoSProtection", + "parameters": "{\"ddosName\":{\"metadata\":{\"description\":\"DDoSVnet\",\"displayName\":\"ddosName\"},\"type\":\"String\"},\"ddosRegion\":{\"metadata\":{\"description\":\"DDoSVnet location\",\"displayName\":\"ddosRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"ddosname\":{\"value\":\"[parameters('ddosname')]\"},\"ddosregion\":{\"value\":\"[parameters('ddosRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"ddosRegion\":{\"type\":\"String\"},\"ddosname\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"ddosprotection\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-12-01\",\"location\":\"[parameters('ddosRegion')]\",\"name\":\"[parameters('ddosName')]\",\"properties\":{},\"type\":\"Microsoft.Network/ddosProtectionPlans\"}]}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('ddosName')]\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/ddosProtectionPlans\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-AA", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Automation/automationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"JobLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobStreams\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DscNodeStatus\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "display_name": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ACI", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerInstance/containerGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "display_name": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ACR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerRegistry/registries\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ContainerRegistryLoginEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ContainerRegistryRepositoryEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-APIMgmt", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ApiManagement/service\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ApiManagement/service/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-AnalysisService", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.AnalysisServices/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Service\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ApiForFHIR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HealthcareApis/services\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HealthcareApis/services/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ApplicationGateway", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ApplicationGatewayAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayPerformanceLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/applicationGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CDNEndpoints", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cdn/profiles/endpoints\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"CoreAnalytics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CognitiveServices", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.CognitiveServices/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RequestResponse\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Trace\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CosmosDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DocumentDB/databaseAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DataPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MongoRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyRUConsumption\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ControlPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CassandraRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"GremlinRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Requests\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DLAnalytics", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataLakeAnalytics/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DataExplorerCluster", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Kusto/Clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"SucceededIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FailedIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IngestionBatching\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Command\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Query\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableUsageStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableDetails\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Kusto/Clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DataFactory", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataFactory/factories\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ActivityRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PipelineRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TriggerRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessages\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutableStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessageContext\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionComponentPhases\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionDataStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISIntegrationRuntimeLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataFactory/factories/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Databricks", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"dbfs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"clusters\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"accounts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"jobs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"notebook\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ssh\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"workspace\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"secrets\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"sqlPermissions\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"instancePools\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Databricks/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridSub", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/eventSubscriptions\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/systemTopics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridTopic", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/topics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PublishFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/topics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ExpressRoute", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/expressRouteCircuits\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PeeringRouteLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Firewall", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/azureFirewalls\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AzureFirewallApplicationRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallNetworkRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallDnsProxy\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-FrontDoor", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/frontDoors\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FrontdoorAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/frontDoors/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Function", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"contains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FunctionAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-HDInsight", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HDInsight/clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HDInsight/clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-LoadBalancer", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/loadBalancers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"LoadBalancerAlertEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"LoadBalancerProbeHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/loadBalancers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-LogicAppsISE", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Logic/integrationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"IntegrationAccountTrackingEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MariaDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MediaService", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Media/mediaServices\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"KeyDeliveryRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Media/mediaServices/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MlWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AmlComputeClusterEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeClusterNodeEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeJobEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeCpuGpuUtilization\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlRunStatusChangedEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Run\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Model\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":true}},{\"category\":\"Quota\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Resource\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MySQL", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-NIC", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkInterfaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-PostgreSQL", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PostgreSQLLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.PowerBIDedicated/capacities\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-RedisCache", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cache/redis/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Relay", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Relay/namespaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"HybridConnectionsEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Relay/namespaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SQLElasticPools", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/elasticPools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SQLMI", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ResourceUsageStats\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DevOpsOperationsAudit\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/managedInstances/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SignalR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.SignalRService/SignalR\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AllLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.TimeSeriesInsights/environments\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Ingress\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-TrafficManager", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/trafficManagerProfiles\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ProbeHealthStatusEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VM", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VMSS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "display_name": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VNetGW", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworkGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IKEDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"P2SDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TunnelDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VirtualNetwork", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"VMProtectionAlerts\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDAppGroup", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/applicationGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDHostPools", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/hostpools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Connection\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"HostRegistration\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AgentHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Feed\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WebServerFarm", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Web/serverfarms\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/serverfarms/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Website", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"notContains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AppServiceAntivirusScanAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceConsoleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceFileAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceIPSecAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServicePlatformLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-iotHub", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Devices/IotHubs\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Connections\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceTelemetry\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DCommands\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceIdentityOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FileUploadOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Routes\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"D2CTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TwinQueries\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobsOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DirectMethods\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DistributedTracing\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Configurations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceStreams\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Devices/IotHubs/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "display_name": "Deploy Azure Firewall Manager policy in the subscription", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-FirewallPolicy", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"fwPolicyRegion\":{\"metadata\":{\"description\":\"Select Azure region for Azure Firewall Policy\",\"displayName\":\"fwPolicyRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"fwpolicy\":{\"defaultValue\":{},\"metadata\":{\"description\":\"Object describing Azure Firewall Policy\",\"displayName\":\"fwpolicy\"},\"type\":\"Object\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"fwPolicy\":{\"value\":\"[parameters('fwPolicy')]\"},\"fwPolicyRegion\":{\"value\":\"[parameters('fwPolicyRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"fwPolicy\":{\"type\":\"object\"},\"fwPolicyRegion\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"fwpolicies\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[],\"location\":\"[parameters('fwpolicy').location]\",\"name\":\"[parameters('fwpolicy').firewallPolicyName]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[\"[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"],\"name\":\"[parameters('fwpolicy').ruleGroups.name]\",\"properties\":{\"priority\":\"[parameters('fwpolicy').ruleGroups.properties.priority]\",\"rules\":\"[parameters('fwpolicy').ruleGroups.properties.rules]\"},\"type\":\"ruleGroups\"}],\"tags\":{},\"type\":\"Microsoft.Network/firewallPolicies\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/firewallPolicies\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-MySQL-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\",\"displayName\":\"Effect minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforMySQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforMySQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", + "display_name": "Deploys NSG flow logs and traffic analytics", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Nsg-FlowLogs", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"flowAnalyticsEnabled\":{\"defaultValue\":false,\"metadata\":{\"displayName\":\"Enable Traffic Analytics\"},\"type\":\"Boolean\"},\"logAnalytics\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"storageAccountResourceId\":{\"metadata\":{\"displayName\":\"Storage Account Resource Id\",\"strongType\":\"Microsoft.Storage/storageAccounts\"},\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"flowAnalyticsEnabled\":{\"value\":\"[parameters('flowAnalyticsEnabled')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"networkSecurityGroupName\":{\"value\":\"[field('name')]\"},\"resourceGroupName\":{\"value\":\"[resourceGroup().name]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"storageAccountResourceId\":{\"value\":\"[parameters('storageAccountResourceId')]\"},\"trafficAnalyticsInterval\":{\"value\":\"[parameters('trafficAnalyticsInterval')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"flowAnalyticsEnabled\":{\"type\":\"bool\"},\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"networkSecurityGroupName\":{\"type\":\"String\"},\"resourceGroupName\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"storageAccountResourceId\":{\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"type\":\"int\"}},\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":\"[bool(parameters('flowAnalyticsEnabled'))]\",\"trafficAnalyticsInterval\":\"[parameters('trafficAnalyticsInterval')]\",\"workspaceId\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\"workspaceRegion\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\"workspaceResourceId\":\"[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[parameters('storageAccountResourceId')]\",\"targetResourceId\":\"[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\"},\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"},{\"equals\":\"[parameters('flowAnalyticsEnabled')]\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\"}]},\"resourceGroupName\":\"NetworkWatcherRG\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "display_name": "Deploys NSG flow logs and traffic analytics to Log Analytics", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.1.0\"}", + "mode": "Indexed", + "name": "Deploy-Nsg-FlowLogs-to-LA", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"interval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"workspace\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"interval\":{\"value\":\"[parameters('interval')]\"},\"location\":{\"value\":\"[field('location')]\"},\"networkSecurityGroup\":{\"value\":\"[field('id')]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"workspace\":{\"value\":\"[parameters('workspace')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"interval\":{\"type\":\"int\"},\"location\":{\"type\":\"String\"},\"networkSecurityGroup\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"time\":{\"defaultValue\":\"[utcNow()]\",\"type\":\"String\"},\"workspace\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2019-06-01\",\"kind\":\"StorageV2\",\"location\":\"[parameters('location')]\",\"name\":\"[variables('storageAccountName')]\",\"properties\":{},\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"type\":\"Microsoft.Storage/storageAccounts\"}]}},\"resourceGroup\":\"[variables('resourceGroupName')]\",\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2019-10-01\",\"dependsOn\":[\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"],\"name\":\"[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat('NetworkWatcher_', toLower(parameters('location')))]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-11-01\",\"dependsOn\":[\"[concat('NetworkWatcher_', toLower(parameters('location')))]\"],\"location\":\"[parameters('location')]\",\"name\":\"[concat(variables('securityGroupName'), '-Network-flowlog')]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":true,\"trafficAnalyticsInterval\":\"[parameters('interval')]\",\"workspaceResourceId\":\"[parameters('workspace')]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\"targetResourceId\":\"[parameters('networkSecurityGroup')]\"},\"type\":\"flowLogs\"}],\"type\":\"Microsoft.Network/networkWatchers\"}]}},\"resourceGroup\":\"NetworkWatcherRG\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"resourceGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[4]]\",\"securityGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[8]]\",\"storageAccountName\":\"[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\"resourceGroupName\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/networkWatchers/flowlogs\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-PostgreSQL-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\",\"displayName\":\"Effect Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notEquals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "SQL servers deploys a specific min TLS version requirement.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-SQL-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "display_name": "Deploy SQL database auditing settings", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-AuditingSettings", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"auditActionsAndGroups\":[\"BATCH_COMPLETED_GROUP\",\"DATABASE_OBJECT_CHANGE_GROUP\",\"SCHEMA_OBJECT_CHANGE_GROUP\",\"BACKUP_RESTORE_GROUP\",\"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\"DATABASE_PRINCIPAL_CHANGE_GROUP\",\"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"USER_CHANGE_PASSWORD_GROUP\",\"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\"DATABASE_PERMISSION_CHANGE_GROUP\",\"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\"FAILED_DATABASE_AUTHENTICATION_GROUP\"],\"isAzureMonitorTargetEnabled\":true,\"state\":\"enabled\"},\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"enabled\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/state\"},{\"equals\":\"true\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\"}]},\"name\":\"default\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "display_name": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-SecurityAlertPolicies", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-06-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"disabledAlerts\":[\"\"],\"emailAccountAdmins\":true,\"emailAddresses\":[\"admin@contoso.com\"],\"retentionDays\":0,\"state\":\"Enabled\",\"storageAccountAccessKey\":\"\",\"storageEndpoint\":null},\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/servers/databases/securityAlertPolicies/state\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "display_name": "Deploy SQL Database Transparent Data Encryption ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-Tde", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2014-04-01\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\"properties\":{\"status\":\"Enabled\"},\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/transparentDataEncryption.status\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "display_name": "Deploy SQL Database vulnerability Assessments", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-vulnerabilityAssessments", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"recurringScans\":{\"emailSubscriptionAdmins\":false,\"emails\":[\"[parameters('vulnerabilityAssessmentsEmail')]\"],\"isEnabled\":true},\"storageAccountAccessKey\":\"[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\"storageContainerPath\":\"[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\"},\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('vulnerabilityAssessmentsEmail')]\",\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\"},{\"equals\":true,\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\"],\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "SQL managed instances deploy a specific min TLS version requirement.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-SqlMi-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2020-02-02-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/managedInstances\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/managedInstances\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Storage-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure STorage\",\"displayName\":\"Effect Azure STorage\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure STorage to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notEquals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('minimumTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimumTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimumTlsVersion\":\"[parameters('minimumTlsVersion')]\",\"supportsHttpsTrafficOnly\":true},\"type\":\"Microsoft.Storage/storageAccounts\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"equals\":\"[parameters('minimumTlsVersion')]\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy deploys virtual network and peer to the hub", + "display_name": "Deploy Virtual Network with peering to the hub", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.1.0\"}", + "mode": "All", + "name": "Deploy-VNET-HubSpoke", + "parameters": "{\"dnsServers\":{\"defaultValue\":[],\"metadata\":{\"description\":\"Default domain servers for the vNET.\",\"displayName\":\"DNSServers\"},\"type\":\"Array\"},\"hubResourceId\":{\"metadata\":{\"description\":\"Resource ID for the HUB vNet\",\"displayName\":\"hubResourceId\"},\"type\":\"String\"},\"vNetCidrRange\":{\"metadata\":{\"description\":\"CIDR Range for the vNet\",\"displayName\":\"vNetCidrRange\"},\"type\":\"String\"},\"vNetLocation\":{\"metadata\":{\"description\":\"Location for the vNet\",\"displayName\":\"vNetLocation\"},\"type\":\"String\"},\"vNetName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet\",\"displayName\":\"vNetName\"},\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Enable gateway transit for the LZ network\",\"displayName\":\"vNetPeerUseRemoteGateway\"},\"type\":\"Boolean\"},\"vNetRgName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet RG\",\"displayName\":\"vNetRgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"ResourceGroupName\":\"[parameters('vNetRgName')]\",\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"dnsServers\":{\"value\":\"[parameters('dnsServers')]\"},\"hubResourceId\":{\"value\":\"[parameters('hubResourceId')]\"},\"vNetCidrRange\":{\"value\":\"[parameters('vNetCidrRange')]\"},\"vNetLocation\":{\"value\":\"[parameters('vNetLocation')]\"},\"vNetName\":{\"value\":\"[parameters('vNetName')]\"},\"vNetPeerUseRemoteGateway\":{\"value\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"vNetRgName\":{\"value\":\"[parameters('vNetRgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"dnsServers\":{\"defaultValue\":[],\"type\":\"Array\"},\"hubResourceId\":{\"type\":\"String\"},\"vNetCidrRange\":{\"type\":\"String\"},\"vNetLocation\":{\"type\":\"String\"},\"vNetName\":{\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"type\":\"bool\"},\"vNetRgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetRgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"}],\"variables\":{}}},\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\"],\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetName')]\",\"properties\":{\"addressSpace\":{\"addressPrefixes\":[\"[parameters('vNetCidrRange')]\"]},\"dhcpOptions\":{\"dnsServers\":\"[parameters('dnsServers')]\"}},\"type\":\"Microsoft.Network/virtualNetworks\"},{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat(parameters('vNetName'), '/peerToHub')]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":false,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[parameters('hubResourceId')]\"},\"useRemoteGateways\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]\",\"properties\":{\"expressionEvaluationOptions\":{\"scope\":\"inner\"},\"mode\":\"Incremental\",\"parameters\":{\"hubName\":{\"value\":\"[split(parameters('hubResourceId'),'/')[8]]\"},\"remoteVirtualNetwork\":{\"value\":\"[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"hubName\":{\"defaultValue\":false,\"type\":\"String\"},\"remoteVirtualNetwork\":{\"defaultValue\":false,\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"name\":\"[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":true,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[[parameters('remoteVirtualNetwork')]\"},\"useRemoteGateways\":false},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"}],\"variables\":{}}},\"resourceGroup\":\"[split(parameters('hubResourceId'),'/')[4]]\",\"subscriptionId\":\"[split(parameters('hubResourceId'),'/')[2]]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('vNetRgName')]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"name\",\"like\":\"[parameters('vNetName')]\"},{\"equals\":\"[parameters('vNetLocation')]\",\"field\":\"location\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('vNetName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/virtualNetworks\"},\"effect\":\"deployIfNotExists\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "display_name": "Deploy Windows Domain Join Extension with keyvault configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Guest Configuration\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Windows-DomainJoin", + "parameters": "{\"domainFQDN\":{\"metadata\":{\"displayName\":\"domainFQDN\"},\"type\":\"String\"},\"domainOUPath\":{\"metadata\":{\"displayName\":\"domainOUPath\"},\"type\":\"String\"},\"domainPassword\":{\"metadata\":{\"displayName\":\"domainPassword\"},\"type\":\"String\"},\"domainUsername\":{\"metadata\":{\"displayName\":\"domainUsername\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"keyVaultResourceId\":{\"metadata\":{\"displayName\":\"keyVaultResourceId\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},{\"equals\":\"MicrosoftWindowsServer\",\"field\":\"Microsoft.Compute/imagePublisher\"},{\"equals\":\"WindowsServer\",\"field\":\"Microsoft.Compute/imageOffer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2008-R2-SP1-zhcn\",\"2012-Datacenter\",\"2012-datacenter-gensecond\",\"2012-Datacenter-smalldisk\",\"2012-datacenter-smalldisk-g2\",\"2012-Datacenter-zhcn\",\"2012-datacenter-zhcn-g2\",\"2012-R2-Datacenter\",\"2012-r2-datacenter-gensecond\",\"2012-R2-Datacenter-smalldisk\",\"2012-r2-datacenter-smalldisk-g2\",\"2012-R2-Datacenter-zhcn\",\"2012-r2-datacenter-zhcn-g2\",\"2016-Datacenter\",\"2016-datacenter-gensecond\",\"2016-datacenter-gs\",\"2016-Datacenter-Server-Core\",\"2016-datacenter-server-core-g2\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-datacenter-server-core-smalldisk-g2\",\"2016-Datacenter-smalldisk\",\"2016-datacenter-smalldisk-g2\",\"2016-Datacenter-with-Containers\",\"2016-datacenter-with-containers-g2\",\"2016-Datacenter-with-RDSH\",\"2016-Datacenter-zhcn\",\"2016-datacenter-zhcn-g2\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-datacenter-core-g2\",\"2019-Datacenter-Core-smalldisk\",\"2019-datacenter-core-smalldisk-g2\",\"2019-Datacenter-Core-with-Containers\",\"2019-datacenter-core-with-containers-g2\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-datacenter-core-with-containers-smalldisk-g2\",\"2019-datacenter-gensecond\",\"2019-datacenter-gs\",\"2019-Datacenter-smalldisk\",\"2019-datacenter-smalldisk-g2\",\"2019-Datacenter-with-Containers\",\"2019-datacenter-with-containers-g2\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-datacenter-with-containers-smalldisk-g2\",\"2019-Datacenter-zhcn\",\"2019-datacenter-zhcn-g2\",\"Datacenter-Core-1803-with-Containers-smalldisk\",\"datacenter-core-1803-with-containers-smalldisk-g2\",\"Datacenter-Core-1809-with-Containers-smalldisk\",\"datacenter-core-1809-with-containers-smalldisk-g2\",\"Datacenter-Core-1903-with-Containers-smalldisk\",\"datacenter-core-1903-with-containers-smalldisk-g2\",\"datacenter-core-1909-with-containers-smalldisk\",\"datacenter-core-1909-with-containers-smalldisk-g1\",\"datacenter-core-1909-with-containers-smalldisk-g2\"]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"domainFQDN\":{\"value\":\"[parameters('domainFQDN')]\"},\"domainOUPath\":{\"value\":\"[parameters('domainOUPath')]\"},\"domainPassword\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainPassword')]\"}},\"domainUsername\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainUsername')]\"}},\"keyVaultResourceId\":{\"value\":\"[parameters('keyVaultResourceId')]\"},\"location\":{\"value\":\"[field('location')]\"},\"vmName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"domainFQDN\":{\"type\":\"String\"},\"domainOUPath\":{\"type\":\"String\"},\"domainPassword\":{\"type\":\"securestring\"},\"domainUsername\":{\"type\":\"String\"},\"keyVaultResourceId\":{\"type\":\"String\"},\"location\":{\"type\":\"String\"},\"vmName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2015-06-15\",\"location\":\"[resourceGroup().location]\",\"name\":\"[concat(variables('vmName'),'/joindomain')]\",\"properties\":{\"autoUpgradeMinorVersion\":true,\"protectedSettings\":{\"Password\":\"[parameters('domainPassword')]\"},\"publisher\":\"Microsoft.Compute\",\"settings\":{\"Name\":\"[parameters('domainFQDN')]\",\"OUPath\":\"[parameters('domainOUPath')]\",\"Options\":\"[variables('domainJoinOptions')]\",\"Restart\":\"true\",\"User\":\"[parameters('domainUserName')]\"},\"type\":\"JsonADDomainExtension\",\"typeHandlerVersion\":\"1.3\"},\"type\":\"Microsoft.Compute/virtualMachines/extensions\"}],\"variables\":{\"domainJoinOptions\":3,\"vmName\":\"[parameters('vmName')]\"}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"JsonADDomainExtension\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\"},{\"equals\":\"Microsoft.Compute\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "display_name": "Public network access should be disabled for PaaS services", + "management_group_id": "root-id-1", + "name": "Deny-PublicPaaSEndpoints", + "parameters": "{\"ACRPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Container Registires with exposed public endpoints \",\"displayName\":\"Public network access on Azure Container Registry disabled\"},\"type\":\"String\"},\"AFSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure File Sync instances with exposed public endpoints \",\"displayName\":\"Public network access on Azure File Sync disabled\"},\"type\":\"String\"},\"AKSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Kubernetes Service non-private clusters\",\"displayName\":\"Public network access on AKS API should be disabled\"},\"type\":\"String\"},\"BatchPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Azure Batch Instances with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for Azure Batch Instances\"},\"type\":\"String\"},\"CosmosPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies that Cosmos database accounts are created with out public network access is disabled.\",\"displayName\":\"Public network access should be disabled for CosmosDB\"},\"type\":\"String\"},\"KeyVaultPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access should be disabled for KeyVault\"},\"type\":\"String\"},\"MySQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for MySQL Flexible Server\"},\"type\":\"String\"},\"PostgreSQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for PostgreSql Flexible Server\"},\"type\":\"String\"},\"SqlServerPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Sql servers with exposed public endpoints\",\"displayName\":\"Public network access on Azure SQL Database should be disabled\"},\"type\":\"String\"},\"StoragePublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access onStorage accounts should be disabled\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "policy_group_names": null, + "reference_id": "CosmosDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "policy_group_names": null, + "reference_id": "KeyVaultDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "policy_group_names": null, + "reference_id": "SqlServerDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StoragePublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policy_group_names": null, + "reference_id": "StorageDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policy_group_names": null, + "reference_id": "AKSDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "policy_group_names": null, + "reference_id": "ACRDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AFSPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "policy_group_names": null, + "reference_id": "AFSDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "policy_group_names": null, + "reference_id": "PostgreSQLFlexDenyPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLFlexPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "policy_group_names": null, + "reference_id": "MySQLFlexDenyPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "policy_group_names": null, + "reference_id": "BatchDenyPublicIP" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "display_name": "Deploy Diagnostic Settings to Azure Services", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "name": "Deploy-Diagnostics-LogAnalytics", + "parameters": "{\"ACILogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\"},\"type\":\"String\"},\"ACRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\"},\"type\":\"String\"},\"AKSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\"},\"type\":\"String\"},\"APIMgmtLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for API Management to Log Analytics workspace\"},\"type\":\"String\"},\"APIforFHIRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\"},\"type\":\"String\"},\"AnalysisServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceWebappLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service to Log Analytics workspace\"},\"type\":\"String\"},\"ApplicationGatewayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"AutomationLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Automation to Log Analytics workspace\"},\"type\":\"String\"},\"BatchLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Batch to Log Analytics workspace\"},\"type\":\"String\"},\"CDNEndpointsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\"},\"type\":\"String\"},\"CognitiveServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\"},\"type\":\"String\"},\"CosmosLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\"},\"type\":\"String\"},\"DataExplorerClusterLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\"},\"type\":\"String\"},\"DataFactoryLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeStoreLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\"},\"type\":\"String\"},\"DatabricksLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridSubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\"},\"type\":\"String\"},\"EventHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\"},\"type\":\"String\"},\"EventSystemTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\"},\"type\":\"String\"},\"ExpressRouteLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\"},\"type\":\"String\"},\"FirewallLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\"},\"type\":\"String\"},\"FrontDoorLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\"},\"type\":\"String\"},\"FunctionAppLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\"},\"type\":\"String\"},\"HDInsightLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\"},\"type\":\"String\"},\"IotHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\"},\"type\":\"String\"},\"KeyVaultLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\"},\"type\":\"String\"},\"LoadBalancerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsISELogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsWFLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\"},\"type\":\"String\"},\"MariaDBLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\"},\"type\":\"String\"},\"MediaServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\"},\"type\":\"String\"},\"MlWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\"},\"type\":\"String\"},\"MySQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkNICLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkPublicIPNicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkSecurityGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\"},\"type\":\"String\"},\"PostgreSQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\"},\"type\":\"String\"},\"PowerBIEmbeddedLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\"},\"type\":\"String\"},\"RedisCacheLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\"},\"type\":\"String\"},\"RelayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Relay to Log Analytics workspace\"},\"type\":\"String\"},\"SQLDBsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\"},\"type\":\"String\"},\"SQLElasticPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\"},\"type\":\"String\"},\"SQLMLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\"},\"type\":\"String\"},\"SearchServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\"},\"type\":\"String\"},\"ServiceBusLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\"},\"type\":\"String\"},\"SignalRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\"},\"type\":\"String\"},\"StorageAccountsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\"},\"type\":\"String\"},\"StreamAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"TimeSeriesInsightsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\"},\"type\":\"String\"},\"TrafficManagerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\"},\"type\":\"String\"},\"VMSSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\"},\"type\":\"String\"},\"VNetGWLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualMachinesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualNetworkLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\"},\"type\":\"String\"},\"WVDAppGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace\"},\"type\":\"String\"},\"WVDHostPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace\"},\"type\":\"String\"},\"WVDWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageAccountsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", + "policy_group_names": null, + "reference_id": "StorageAccountDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDAppGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "policy_group_names": null, + "reference_id": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "policy_group_names": null, + "reference_id": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDHostPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "policy_group_names": null, + "reference_id": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACILogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "policy_group_names": null, + "reference_id": "ACIDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "policy_group_names": null, + "reference_id": "ACRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('AKSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "policy_group_names": null, + "reference_id": "AKSDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AnalysisServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "policy_group_names": null, + "reference_id": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIforFHIRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "policy_group_names": null, + "reference_id": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIMgmtLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "policy_group_names": null, + "reference_id": "APIMgmtDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ApplicationGatewayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "policy_group_names": null, + "reference_id": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AutomationLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "policy_group_names": null, + "reference_id": "AutomationDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "policy_group_names": null, + "reference_id": "BatchDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CDNEndpointsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "policy_group_names": null, + "reference_id": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "policy_group_names": null, + "reference_id": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "policy_group_names": null, + "reference_id": "CosmosDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DatabricksLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "policy_group_names": null, + "reference_id": "DatabricksDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataExplorerClusterLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "policy_group_names": null, + "reference_id": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataFactoryLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "policy_group_names": null, + "reference_id": "DataFactoryDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeStoreLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "policy_group_names": null, + "reference_id": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "policy_group_names": null, + "reference_id": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridSubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "policy_group_names": null, + "reference_id": "EventGridSubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "policy_group_names": null, + "reference_id": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "policy_group_names": null, + "reference_id": "EventHubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventSystemTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "policy_group_names": null, + "reference_id": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ExpressRouteLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "policy_group_names": null, + "reference_id": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FirewallLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "policy_group_names": null, + "reference_id": "FirewallDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FrontDoorLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "policy_group_names": null, + "reference_id": "FrontDoorDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionAppLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "policy_group_names": null, + "reference_id": "FunctionAppDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('HDInsightLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "policy_group_names": null, + "reference_id": "HDInsightDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('IotHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "policy_group_names": null, + "reference_id": "IotHubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "policy_group_names": null, + "reference_id": "KeyVaultDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LoadBalancerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "policy_group_names": null, + "reference_id": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsISELogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "policy_group_names": null, + "reference_id": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsWFLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "policy_group_names": null, + "reference_id": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MariaDBLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "policy_group_names": null, + "reference_id": "MariaDBDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MediaServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "policy_group_names": null, + "reference_id": "MediaServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MlWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "policy_group_names": null, + "reference_id": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "policy_group_names": null, + "reference_id": "MySQLDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "policy_group_names": null, + "reference_id": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkNICLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "policy_group_names": null, + "reference_id": "NetworkNICDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "policy_group_names": null, + "reference_id": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "policy_group_names": null, + "reference_id": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"True\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "policy_group_names": null, + "reference_id": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "policy_group_names": null, + "reference_id": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisCacheLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "policy_group_names": null, + "reference_id": "RedisCacheDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RelayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "policy_group_names": null, + "reference_id": "RelayDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SearchServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "policy_group_names": null, + "reference_id": "SearchServicesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ServiceBusLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "policy_group_names": null, + "reference_id": "ServiceBusDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SignalRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "policy_group_names": null, + "reference_id": "SignalRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('SQLDBsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "policy_group_names": null, + "reference_id": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "policy_group_names": null, + "reference_id": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLMLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "policy_group_names": null, + "reference_id": "SQLMDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "policy_group_names": null, + "reference_id": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "policy_group_names": null, + "reference_id": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('TrafficManagerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "policy_group_names": null, + "reference_id": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualNetworkLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "policy_group_names": null, + "reference_id": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualMachinesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "policy_group_names": null, + "reference_id": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VMSSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "policy_group_names": null, + "reference_id": "VMSSDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VNetGWLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "policy_group_names": null, + "reference_id": "VNetGWDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "policy_group_names": null, + "reference_id": "AppServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceWebappLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "policy_group_names": null, + "reference_id": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Microsoft Defender for Cloud configuration", + "display_name": "Deploy Microsoft Defender for Cloud configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Security Center\",\"version\":\"3.0.0\"}", + "name": "Deploy-MDFC-Config", + "parameters": "{\"ascExportResourceGroupLocation\":{\"metadata\":{\"description\":\"The location where the resource group and the export to Log Analytics workspace configuration are created.\",\"displayName\":\"Resource Group location for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"ascExportResourceGroupName\":{\"metadata\":{\"description\":\"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\",\"displayName\":\"Resource Group name for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Microsoft Defender for Cloud contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"},\"enableAscForAppServices\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForArm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForContainers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForDns\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForKeyVault\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForOssDb\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForServers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSql\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSqlOnVm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForStorage\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Primary Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForOssDb')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "policy_group_names": null, + "reference_id": "defenderForOssDb" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForServers')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "policy_group_names": null, + "reference_id": "defenderForVM" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSqlOnVm')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "policy_group_names": null, + "reference_id": "defenderForSqlServerVirtualMachines" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForAppServices')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "policy_group_names": null, + "reference_id": "defenderForAppServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForStorage')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "policy_group_names": null, + "reference_id": "defenderForStorageAccounts" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForContainers')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "policy_group_names": null, + "reference_id": "defenderforContainers" + }, + { + "parameter_values": "{\"Effect\":{\"value\":\"[parameters('enableAscForKeyVault')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "policy_group_names": null, + "reference_id": "defenderForKeyVaults" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForDns')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "policy_group_names": null, + "reference_id": "defenderForDns" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForArm')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "policy_group_names": null, + "reference_id": "defenderForArm" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSql')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "policy_group_names": null, + "reference_id": "defenderForSqlPaas" + }, + { + "parameter_values": "{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "policy_group_names": null, + "reference_id": "securityEmailContact" + }, + { + "parameter_values": "{\"resourceGroupLocation\":{\"value\":\"[parameters('ascExportResourceGroupLocation')]\"},\"resourceGroupName\":{\"value\":\"[parameters('ascExportResourceGroupName')]\"},\"workspaceResourceId\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "policy_group_names": null, + "reference_id": "ascExport" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "display_name": "Configure Azure PaaS services to use private DNS zones", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "name": "Deploy-Private-DNS-Zones", + "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAcrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAsrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAsrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureBatchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureBatchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveSearchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureDiskAccessPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureDiskAccessPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridDomainsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridTopicsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventHubNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureFilePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureFilePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotHubsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotHubsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureKeyVaultPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureKeyVaultPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureMachineLearningWorkspacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureRedisCachePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureRedisCachePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureServiceBusNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureSignalRPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureSignalRPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureWebPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureWebPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"effect1\":{\"allowedValues\":[\"deployIfNotExists\",\"Disabled\"],\"defaultValue\":\"deployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureFileprivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-File-Sync" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureWebPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Web" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureBatchPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Batch" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-App" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAsrPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Site-Recovery" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-IoT" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureKeyVaultPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-KeyVault" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureSignalRPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-SignalR" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppServicesPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-AppServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventGridTopics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureDiskAccessPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-DiskAccess" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-CognitiveServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotHubsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-IoTHubs" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventGridDomains" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureRedisCachePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-RedisCache" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAcrPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-ACR" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventHubNamespace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-MachineLearningWorkspace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-ServiceBusNamespace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-CognitiveSearch" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "display_name": "Deploy SQL Database built-in SQL security configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "name": "Deploy-Sql-Security", + "parameters": "{\"SqlDbAuditingSettingsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy auditing settings to SQL Database when it not exist in the deployment\",\"displayName\":\"Deploy SQL database auditing settings\"},\"type\":\"String\"},\"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\"displayName\":\"Deploy SQL Database security Alert Policies configuration with email admin accounts\"},\"type\":\"String\"},\"SqlDbTdeDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\"displayName\":\"Deploy SQL Database Transparent Data Encryption \"},\"type\":\"String\"},\"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\"displayName\":\"Deploy SQL Database vulnerability Assessments\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "policy_group_names": null, + "reference_id": "SqlDbTdeDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "policy_group_names": null, + "reference_id": "SqlDbSecurityAlertPoliciesDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "policy_group_names": null, + "reference_id": "SqlDbAuditingSettingsDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "policy_group_names": null, + "reference_id": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", + "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", + "name": "Enforce-EncryptTransit", + "parameters": "{\"AKSIngressHttpsOnlyEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"deny\",\"metadata\":{\"description\":\"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\",\"displayName\":\"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\"},\"type\":\"String\"},\"APIAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"APIAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service API App. Latest TLS version should be used in your API App\"},\"type\":\"String\"},\"AppServiceHttpEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\"},\"type\":\"String\"},\"AppServiceTlsVersionEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\"},\"type\":\"String\"},\"AppServiceminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"App Service. Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"App Service. Select version minimum TLS Web App config\"},\"type\":\"String\"},\"FunctionLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Function App. Latest TLS version should be used in your Function App\"},\"type\":\"String\"},\"FunctionServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"MySQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"MySQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\"},\"type\":\"String\"},\"MySQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"MySQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\"},\"type\":\"String\"},\"PostgreSQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"PostgreSQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"RedisMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Azure Cache for Redis to enforce\",\"displayName\":\"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSDeployEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\"displayName\":\"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\"},\"type\":\"String\"},\"SQLManagedInstanceMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure Managed Instanceto to enforce\",\"displayName\":\"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\"},\"type\":\"String\"},\"SQLManagedInstanceTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLManagedInstanceTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"SQL Managed Instance should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLServerTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"Azure SQL Database should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure SQL Database to enforce\",\"displayName\":\"Azure SQL Database.Select version minimum TLS for Azure SQL Database\"},\"type\":\"String\"},\"StorageDeployHttpsEnabledEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageHttpsEnabledEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageminimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"},\"WebAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"WebAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Web App. Latest TLS version should be used in your Web App\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceHttpEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "policy_group_names": null, + "reference_id": "AppServiceHttpEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceTlsVersionEffect')]\"},\"minTlsVersion\":{\"value\":\"[parameters('AppServiceminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "policy_group_names": null, + "reference_id": "AppServiceminTlsVersion" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", + "policy_group_names": null, + "reference_id": "APIAppServiceLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "policy_group_names": null, + "reference_id": "FunctionLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "policy_group_names": null, + "reference_id": "WebAppServiceLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "policy_group_names": null, + "reference_id": "APIAppServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "policy_group_names": null, + "reference_id": "FunctionServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "policy_group_names": null, + "reference_id": "WebAppServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSIngressHttpsOnlyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policy_group_names": null, + "reference_id": "AKSIngressHttpsOnlyEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "policy_group_names": null, + "reference_id": "MySQLEnableSSLDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "policy_group_names": null, + "reference_id": "MySQLEnableSSLEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "policy_group_names": null, + "reference_id": "PostgreSQLEnableSSLDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "policy_group_names": null, + "reference_id": "PostgreSQLEnableSSLEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "policy_group_names": null, + "reference_id": "RedisTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "policy_group_names": null, + "reference_id": "RedisdisableNonSslPort" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "policy_group_names": null, + "reference_id": "RedisDenyhttps" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "policy_group_names": null, + "reference_id": "SQLManagedInstanceTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "policy_group_names": null, + "reference_id": "SQLManagedInstanceTLSEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "policy_group_names": null, + "reference_id": "SQLServerTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "policy_group_names": null, + "reference_id": "SQLServerTLSEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "policy_group_names": null, + "reference_id": "StorageHttpsEnabledEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageDeployHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "policy_group_names": null, + "reference_id": "StorageDeployHttpsEnabledEffect" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "display_name": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", + "name": "Enforce-Encryption-CMK", + "parameters": "{\"ACRCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\"displayName\":\"Container registries should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"},\"AksCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\",\"displayName\":\"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\"},\"type\":\"String\"},\"AzureBatchCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\",\"displayName\":\"Azure Batch account should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"CognitiveServicesCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\"},\"type\":\"String\"},\"CosmosCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"DataBoxCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\",\"displayName\":\"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\"},\"type\":\"String\"},\"EncryptedVMDisksEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\",\"displayName\":\"Disk encryption should be applied on virtual machines\"},\"type\":\"String\"},\"HealthcareAPIsCMKEffect\":{\"allowedValues\":[\"audit\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\",\"displayName\":\"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\"},\"type\":\"String\"},\"MySQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure MySQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"PostgreSQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure PostgreSQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"SqlServerTDECMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\"displayName\":\"SQL servers should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"StorageCMKEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\"displayName\":\"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\"},\"type\":\"String\"},\"StreamAnalyticsCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\",\"displayName\":\"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"SynapseWorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\",\"displayName\":\"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"WorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\"displayName\":\"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRCmkEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "policy_group_names": null, + "reference_id": "ACRCmkDeny" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AksCmkEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "policy_group_names": null, + "reference_id": "AksCmkDeny" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WorkspaceCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "policy_group_names": null, + "reference_id": "WorkspaceCMK" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "policy_group_names": null, + "reference_id": "CognitiveServicesCMK" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "policy_group_names": null, + "reference_id": "CosmosCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataBoxCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "policy_group_names": null, + "reference_id": "DataBoxCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "policy_group_names": null, + "reference_id": "StreamAnalyticsCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SynapseWorkspaceCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "policy_group_names": null, + "reference_id": "SynapseWorkspaceCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "policy_group_names": null, + "reference_id": "StorageCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "policy_group_names": null, + "reference_id": "MySQLCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "policy_group_names": null, + "reference_id": "PostgreSQLCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerTDECMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policy_group_names": null, + "reference_id": "SqlServerTDECMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('HealthcareAPIsCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "policy_group_names": null, + "reference_id": "HealthcareAPIsCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AzureBatchCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "policy_group_names": null, + "reference_id": "AzureBatchCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EncryptedVMDisksEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "policy_group_names": null, + "reference_id": "EncryptedVMDisksEffect" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "2c342278-007c-54fe-9248-9b595e234ba9", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "913f587c-77a4-5440-ba16-48de7d0080d2", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "cfaa2796-3156-5c78-94a2-7c017ffe32bb", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3621f075-0492-5ec9-a8ad-40d284e3e4d1", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7045a468-5463-57ef-85af-cd7f5397aa16", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "78b4dff1-81d0-5991-aec4-332fdce426cb", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "926ac02b-01f3-57dc-b7d0-b7a1056019f4", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "a3ca23ea-bd49-51a5-a288-c88857197d75", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "130a22c1-674c-5a2a-b818-15ffc7d51207", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "19d1b7bb-0519-5651-91ab-25499f1709ad", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "281224b7-afc9-5e49-8553-8ca4d6c01a8a", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "4a679915-ced3-5c00-88d6-4f66597b95a4", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "4e722adf-bfdc-516b-9dde-5eff6fbd980e", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "5ff839a8-6bd0-5967-b385-4340bdeda854", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "6ebb856f-5448-5efc-9dc4-07e7065dc6ff", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7eaea779-6033-5588-93af-e5dd34f731ab", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7f9a44eb-87f1-5b90-bcff-fcf48b20b251", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "95eb7160-7dee-545e-8f03-79c8f032e209", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "a77036d7-9519-59c5-8a42-5fc5ebe92c6c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]", + "mode": "managed", + "type": "azurerm_role_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 1, + "values": { + "assignable_scopes": [ + "/providers/Microsoft.Management/managementGroups/root-id-1" + ], + "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.", + "name": "[ROOT-ID-1] Network-Subnet-Contributor", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Network/*/read", + "Microsoft.Network/virtualNetworks/subnets/*" + ], + "data_actions": null, + "not_actions": [], + "not_data_actions": null + } + ], + "role_definition_id": "6a8ddaca-120a-579a-a375-1abe30d29f6d", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "assignable_scopes": [ + false + ], + "permissions": [ + { + "actions": [ + false, + false, + false, + false, + false, + false, + false, + false + ], + "not_actions": [] + } + ] + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_management_group", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_management_group", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "120s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", + "azurerm_management_group_level_2": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\",\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", + "azurerm_management_group_level_3": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management\"]", + "azurerm_management_group_level_4": "[]", + "azurerm_management_group_level_5": "[]", + "azurerm_management_group_level_6": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_set_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_set_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_set_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_role_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_assignment_enterprise_scale": "[]", + "azurerm_policy_assignment_policy_assignment": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_role_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_role_definition_enterprise_scale": "[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + } + ], + "address": "module.test_core" + } + ] +} diff --git a/tests/modules/test_001_baseline/providers.tf b/tests/modules/test_001_baseline/providers.tf new file mode 100644 index 00000000..83314ab1 --- /dev/null +++ b/tests/modules/test_001_baseline/providers.tf @@ -0,0 +1,13 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "connectivity" + features {} +} + +provider "azurerm" { + alias = "management" + features {} +} diff --git a/tests/modules/test_001_baseline/settings.tf b/tests/modules/test_001_baseline/settings.tf new file mode 100644 index 00000000..efce301f --- /dev/null +++ b/tests/modules/test_001_baseline/settings.tf @@ -0,0 +1,7 @@ +# Obtain configuration settings. +module "settings" { + source = "../settings" + + root_id = var.root_id + primary_location = var.primary_location +} diff --git a/tests/deployment/provider.tf b/tests/modules/test_001_baseline/terraform.tf similarity index 51% rename from tests/deployment/provider.tf rename to tests/modules/test_001_baseline/terraform.tf index 4491b37a..dbf21f3a 100644 --- a/tests/deployment/provider.tf +++ b/tests/modules/test_001_baseline/terraform.tf @@ -2,25 +2,14 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "2.77.0" + version = "2.96.0" configuration_aliases = [ azurerm.connectivity, azurerm.management, ] } } -} - -provider "azurerm" { - features {} -} - -provider "azurerm" { - alias = "connectivity" - features {} -} - -provider "azurerm" { - alias = "management" - features {} + backend "local" { + path = "../tfstate/test_framework.tfstate" + } } diff --git a/tests/deployment/variables.tf b/tests/modules/test_001_baseline/variables.tf similarity index 62% rename from tests/deployment/variables.tf rename to tests/modules/test_001_baseline/variables.tf index c0b6bbcd..ba5e59a8 100644 --- a/tests/deployment/variables.tf +++ b/tests/modules/test_001_baseline/variables.tf @@ -1,16 +1,6 @@ -variable "root_id_1" { +variable "root_id" { type = string - default = "root-1" -} - -variable "root_id_2" { - type = string - default = "root-2" -} - -variable "root_id_3" { - type = string - default = "root-3" + default = "12345" } variable "root_name" { @@ -18,9 +8,14 @@ variable "root_name" { default = "Test Framework" } -variable "location" { +variable "primary_location" { type = string - default = "uksouth" + default = "northeurope" +} + +variable "secondary_location" { + type = string + default = "westeurope" } variable "create_duration_delay" { diff --git a/tests/modules/test_002_add_custom_core/client_config.tf b/tests/modules/test_002_add_custom_core/client_config.tf new file mode 100644 index 00000000..82c49b84 --- /dev/null +++ b/tests/modules/test_002_add_custom_core/client_config.tf @@ -0,0 +1,7 @@ +data "azurerm_client_config" "connectivity" { + provider = azurerm.connectivity +} + +data "azurerm_client_config" "management" { + provider = azurerm.management +} diff --git a/tests/modules/test_002_add_custom_core/main.tf b/tests/modules/test_002_add_custom_core/main.tf new file mode 100644 index 00000000..4a94e190 --- /dev/null +++ b/tests/modules/test_002_add_custom_core/main.tf @@ -0,0 +1,48 @@ +module "test_core" { + source = "../../../" + + providers = { + azurerm = azurerm.management + azurerm.connectivity = azurerm.connectivity + azurerm.management = azurerm.management + } + + # Base module configuration settings + root_parent_id = data.azurerm_client_config.management.tenant_id + root_id = var.root_id + root_name = var.root_name + default_location = var.primary_location + default_tags = module.settings.shared.default_tags + + # Tuning delay timers to improve pipeline completion success rate + create_duration_delay = var.create_duration_delay + destroy_duration_delay = var.destroy_duration_delay + + # Configuration settings for optional landing zones + deploy_corp_landing_zones = true + deploy_online_landing_zones = true + deploy_sap_landing_zones = true + deploy_demo_landing_zones = true + + # Configure path for custom library folder and + # custom template file variables + library_path = "${path.root}/../test_lib" + template_file_variables = module.settings.core.custom_template_file_variables + + # Configuration settings for core resources + deploy_core_landing_zones = true + custom_landing_zones = module.settings.core.custom_landing_zones + archetype_config_overrides = module.settings.core.archetype_config_overrides + subscription_id_overrides = module.settings.core.subscription_id_overrides + + # Configuration settings for management resources + deploy_management_resources = false + configure_management_resources = module.settings.management.configure_management_resources + subscription_id_management = data.azurerm_client_config.management.subscription_id + + # Configuration settings for connectivity resources + deploy_connectivity_resources = false + configure_connectivity_resources = module.settings.connectivity.configure_connectivity_resources + subscription_id_connectivity = data.azurerm_client_config.connectivity.subscription_id + +} diff --git a/tests/modules/test_002_add_custom_core/outputs.tf b/tests/modules/test_002_add_custom_core/outputs.tf new file mode 100644 index 00000000..69ef5b8a --- /dev/null +++ b/tests/modules/test_002_add_custom_core/outputs.tf @@ -0,0 +1,19 @@ +# The following output gives the a summary of all resources +# created by the enterprise_scale module, formatted to allow +# easy identification of the resource IDs as stored in the +# Terraform state. + +output "resource_ids" { + value = { + for module_name, module_output in { + test_core = module.test_core + } : + module_name => { + for resource_type, resource_instances in module_output : + resource_type => { + for resource_name, resource_configs in resource_instances : + resource_name => keys(resource_configs) + } + } + } +} diff --git a/tests/modules/test_002_add_custom_core/planned_values.json b/tests/modules/test_002_add_custom_core/planned_values.json new file mode 100644 index 00000000..559eff8c --- /dev/null +++ b/tests/modules/test_002_add_custom_core/planned_values.json @@ -0,0 +1,6374 @@ +{ + "child_modules": [ + { + "resources": [ + { + "address": "module.test_core.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_1", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "root-name", + "name": "root-id-1", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/dac8feee-8768-4fbd-9cf9-9d96d4718018", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Decommissioned", + "name": "root-id-1-decommissioned", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Landing Zones", + "name": "root-id-1-landing-zones", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Platform", + "name": "root-id-1-platform", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Sandboxes", + "name": "root-id-1-sandboxes", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Connectivity", + "name": "root-id-1-connectivity", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "subscription_ids": [ + "b2ce43c7-d4ec-4878-8df7-b513d90bedbe" + ], + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [ + false + ] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Corp", + "name": "root-id-1-corp", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Corp (Demo)", + "name": "root-id-1-demo-corp", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-online\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-online", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Online (Demo)", + "name": "root-id-1-demo-online", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-sap\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-sap", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "SAP (Demo)", + "name": "root-id-1-demo-sap", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Identity", + "name": "root-id-1-identity", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-management\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Management", + "name": "root-id-1-management", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "subscription_ids": [ + "4d59de28-6dfe-4706-a4df-50ebe695a300" + ], + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [ + false + ] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-online\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Online", + "name": "root-id-1-online", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-sap\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-sap", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "SAP", + "name": "root-id-1-sap", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Secure Workloads (HITRUST/HIPAA)", + "name": "root-id-1-secure", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_4", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "EMEA Web Applications", + "name": "root-id-1-web-emea", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-global\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_4", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-global", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Global Web Applications", + "name": "root-id-1-web-global", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_4", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "US Web Applications", + "name": "root-id-1-web-us", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "name": "Enable-DDoS-VNET", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-northeurope\"},\"effect\":{\"value\":\"Modify\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "display_name": "Public network access should be disabled for PaaS services", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "name": "Deny-Public-Endpoints", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "display_name": "Configure Azure PaaS services to use private DNS zones", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "name": "Deploy-Private-DNS-Zones", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io\"},\"azureAppPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io\"},\"azureAppServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net\"},\"azureAsrPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.siterecovery.windowsazure.com\"},\"azureBatchPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.batch.azure.com\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com\"},\"azureDiskAccessPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureFilePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net\"},\"azureIoTPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net\"},\"azureIotHubsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net\"},\"azureKeyVaultPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms\"},\"azureRedisCachePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureSignalRPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net\"},\"azureWebPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "display_name": "Public network access should be disabled for PaaS services", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp", + "name": "Deny-Public-Endpoints", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "display_name": "Configure Azure PaaS services to use private DNS zones", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp", + "name": "Deploy-Private-DNS-Zones", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io\"},\"azureAppPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io\"},\"azureAppServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net\"},\"azureAsrPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com\"},\"azureBatchPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.batch.azure.com\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com\"},\"azureDiskAccessPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureFilePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net\"},\"azureIoTPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net\"},\"azureIotHubsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net\"},\"azureKeyVaultPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms\"},\"azureRedisCachePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureSignalRPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net\"},\"azureWebPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "display_name": "Deny the creation of public IP", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-Public-IP", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "display_name": "RDP access from the Internet should be blocked", + "enforce": false, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-RDP-From-Internet", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "display_name": "Subnets should have a Network Security Group", + "enforce": false, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-Subnet-Without-Nsg", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deploy-VM-Backup", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deployIfNotExists\"},\"exclusionTagName\":{\"value\":\"\"},\"exclusionTagValue\":{\"value\":[]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "display_name": "Network interfaces should disable IP forwarding", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-IP-Forwarding", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes cluster should not allow privileged containers", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Priv-Containers-AKS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes clusters should not allow container privilege escalation", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Priv-Escalation-AKS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "display_name": "RDP access from the Internet should be blocked", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-RDP-From-Internet", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "display_name": "Secure transfer to storage accounts should be enabled", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Storage-http", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "display_name": "Subnets should have a Network Security Group", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Subnet-Without-Nsg", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "display_name": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-AKS-Policy", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "display_name": "Auditing on SQL server should be enabled", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-SQL-DB-Auditing", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "display_name": "Deploy Threat Detection on SQL servers", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-SQL-Threat", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-VM-Backup", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enable-DDoS-VNET", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-northeurope\"},\"effect\":{\"value\":\"Modify\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes clusters should be accessible only over HTTPS", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enforce-AKS-HTTPS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enforce-TLS-SSL", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy-Log-Analytics.", + "display_name": "Deploy-Log-Analytics", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "name": "Deploy-Log-Analytics", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"automationAccountName\":{\"value\":\"root-id-1-automation\"},\"automationRegion\":{\"value\":\"northeurope\"},\"dataRetention\":{\"value\":\"60\"},\"effect\":{\"value\":\"DeployIfNotExists\"},\"rgName\":{\"value\":\"root-id-1-mgmt\"},\"sku\":{\"value\":\"pergb2018\"},\"workspaceName\":{\"value\":\"root-id-1-la\"},\"workspaceRegion\":{\"value\":\"northeurope\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This assignment includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.", + "display_name": "Assign policies for HITRUST and HIPAA controls", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "name": "Deploy-HITRUST-HIPAA", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"CertificateThumbprints\":{\"value\":\"\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsrgName\":{\"value\":\"root-id-1-rg\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix\":{\"value\":\"root-id-1\"},\"installedApplicationsOnWindowsVM\":{\"value\":\"\"},\"listOfLocations\":{\"value\":[\"eastus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northeurope\",\"westeurope\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northeurope\",\"westeurope\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\",\"northeurope\",\"westeurope\",\"uksouth\",\"ukwest\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\",\"northeurope\",\"westeurope\",\"uksouth\",\"ukwest\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Monitoring in Azure Security Center.", + "display_name": "Enable Monitoring in Azure Security Center", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-ASC-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"aadAuthenticationInSqlServerMonitoringEffect\":{\"value\":\"Disabled\"},\"diskEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"encryptionOfAutomationAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateLessThanOwnersMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateMoreThanOneOwnerMonitoringEffect\":{\"value\":\"Disabled\"},\"identityEnableMFAForWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"jitNetworkAccessMonitoringEffect\":{\"value\":\"Disabled\"},\"networkSecurityGroupsOnSubnetsMonitoringEffect\":{\"value\":\"AuditIfNotExists\"},\"sqlDbEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityMonitoringEffect\":{\"value\":\"Disabled\"},\"systemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"useRbacRulesMonitoringEffect\":{\"value\":\"Disabled\"},\"vmssSystemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"windowsDefenderExploitGuardMonitoringEffect\":{\"value\":\"Disabled\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", + "display_name": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-AzActivity-Log", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This assignment includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.", + "display_name": "Assign policies for HITRUST and HIPAA controls", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-HITRUST-HIPAA", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"CertificateThumbprints\":{\"value\":\"\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsrgName\":{\"value\":\"root-id-1-rg\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix\":{\"value\":\"root-id-1\"},\"installedApplicationsOnWindowsVM\":{\"value\":\"\"},\"listOfLocations\":{\"value\":[\"eastus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy-Linux-Arc-Monitoring.", + "display_name": "Deploy-Linux-Arc-Monitoring", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-LX-Arc-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Microsoft Defender for Cloud and Security Contacts", + "display_name": "Deploy Microsoft Defender for Cloud configuration", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-MDFC-Config", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ascExportResourceGroupLocation\":{\"value\":\"northeurope\"},\"ascExportResourceGroupName\":{\"value\":\"root-id-1-asc-export\"},\"emailSecurityContact\":{\"value\":\"test.user@replace_me\"},\"enableAscForAppServices\":{\"value\":\"DeployIfNotExists\"},\"enableAscForArm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForContainers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForDns\":{\"value\":\"DeployIfNotExists\"},\"enableAscForKeyVault\":{\"value\":\"DeployIfNotExists\"},\"enableAscForOssDb\":{\"value\":\"DeployIfNotExists\"},\"enableAscForServers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSql\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSqlOnVm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForStorage\":{\"value\":\"DeployIfNotExists\"},\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "display_name": "Deploy-Resource-Diag", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-Resource-Diag", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Auditing on SQL servers.", + "display_name": "Deploy Auditing on SQL servers", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-SQL-Auditing", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"retentionDays\":{\"value\":\"10\"},\"storageAccountsResourceGroup\":{\"value\":\"\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "display_name": "Enable Azure Monitor for VMs", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-VM-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "display_name": "Enable Azure Monitor for Virtual Machine Scale Sets", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-VMSS-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "display_name": "Deploy-Windows-Arc-Monitoring", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-WS-Arc-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "display_name": "AppService append enable https only setting to enforce https setting.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Append-AppService-httpsonly", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"notequals\":true}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"value\":true}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "display_name": "AppService append sites with minimum TLS version to enforce.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Append-AppService-latestTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"Select version minimum TLS Web App config\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites/config\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"notEquals\":\"[parameters('minTlsVersion')]\"}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"value\":\"[parameters('minTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "display_name": "KeyVault SoftDelete should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Key Vault\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-KV-SoftDelete", + "parameters": null, + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.KeyVault/vaults\",\"field\":\"type\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"notEquals\":true}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"value\":true}],\"effect\":\"append\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-Redis-disableNonSslPort", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\",\"Modify\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"value\":false}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-Redis-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Cache for Redis to enforce\",\"displayName\":\"Select version for Redis server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"value\":\"[parameters('minimumTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "display_name": "Control private endpoint connections to Azure Machine Learning", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Audit-MachineLearning-PrivateEndpointId", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\",\"field\":\"type\"},{\"equals\":\"Approved\",\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\"},{\"notEquals\":\"[subscription().subscriptionId]\",\"value\":\"[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of child resources on the Automation Account", + "display_name": "No child resources in Automation Account", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Automation\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AA-child-resources", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Automation/automationAccounts/runbooks\",\"Microsoft.Automation/automationAccounts/variables\",\"Microsoft.Automation/automationAccounts/modules\",\"Microsoft.Automation/automationAccounts/credentials\",\"Microsoft.Automation/automationAccounts/connections\",\"Microsoft.Automation/automationAccounts/certificates\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "display_name": "Application Gateway should be deployed with WAF enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppGW-Without-WAF", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/applicationGateways/sku.name\",\"notequals\":\"WAF_v2\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "API App should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceApiApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "Function App should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceFunctionApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "Web Application should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceWebApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "display_name": "Deny public IPs for Databricks cluster", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-NoPublicIp", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\"notEquals\":true}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "display_name": "Deny non-premium Databricks sku", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-Sku", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/sku.name\",\"notEquals\":\"premium\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "display_name": "Deny Databricks workspaces without Vnet injection", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-VirtualNetwork", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "display_name": "Deny AKS cluster creation in Azure Machine Learning", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Aks", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AKS\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/resourceId\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "display_name": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Compute-SubnetId", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "display_name": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Compute-VmSize", + "parameters": "{\"allowedVmSizes\":{\"defaultValue\":[\"Standard_D1_v2\",\"Standard_D2_v2\",\"Standard_D3_v2\",\"Standard_D4_v2\",\"Standard_D11_v2\",\"Standard_D12_v2\",\"Standard_D13_v2\",\"Standard_D14_v2\",\"Standard_DS1_v2\",\"Standard_DS2_v2\",\"Standard_DS3_v2\",\"Standard_DS4_v2\",\"Standard_DS5_v2\",\"Standard_DS11_v2\",\"Standard_DS12_v2\",\"Standard_DS13_v2\",\"Standard_DS14_v2\",\"Standard_M8-2ms\",\"Standard_M8-4ms\",\"Standard_M8ms\",\"Standard_M16-4ms\",\"Standard_M16-8ms\",\"Standard_M16ms\",\"Standard_M32-8ms\",\"Standard_M32-16ms\",\"Standard_M32ls\",\"Standard_M32ms\",\"Standard_M32ts\",\"Standard_M64-16ms\",\"Standard_M64-32ms\",\"Standard_M64ls\",\"Standard_M64ms\",\"Standard_M64s\",\"Standard_M128-32ms\",\"Standard_M128-64ms\",\"Standard_M128ms\",\"Standard_M128s\",\"Standard_M64\",\"Standard_M64m\",\"Standard_M128\",\"Standard_M128m\",\"Standard_D1\",\"Standard_D2\",\"Standard_D3\",\"Standard_D4\",\"Standard_D11\",\"Standard_D12\",\"Standard_D13\",\"Standard_D14\",\"Standard_DS15_v2\",\"Standard_NV6\",\"Standard_NV12\",\"Standard_NV24\",\"Standard_F2s_v2\",\"Standard_F4s_v2\",\"Standard_F8s_v2\",\"Standard_F16s_v2\",\"Standard_F32s_v2\",\"Standard_F64s_v2\",\"Standard_F72s_v2\",\"Standard_NC6s_v3\",\"Standard_NC12s_v3\",\"Standard_NC24rs_v3\",\"Standard_NC24s_v3\",\"Standard_NC6\",\"Standard_NC12\",\"Standard_NC24\",\"Standard_NC24r\",\"Standard_ND6s\",\"Standard_ND12s\",\"Standard_ND24rs\",\"Standard_ND24s\",\"Standard_NC6s_v2\",\"Standard_NC12s_v2\",\"Standard_NC24rs_v2\",\"Standard_NC24s_v2\",\"Standard_ND40rs_v2\",\"Standard_NV12s_v3\",\"Standard_NV24s_v3\",\"Standard_NV48s_v3\"],\"metadata\":{\"description\":\"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\",\"displayName\":\"Allowed VM Sizes for Aml Compute Clusters and Instances\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\"notIn\":\"[parameters('allowedVmSizes')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "display_name": "Deny public access of Azure Machine Learning clusters via SSH", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\"notEquals\":\"Disabled\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "display_name": "Enforce scale settings for Azure Machine Learning compute clusters", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"maxNodeCount\":{\"defaultValue\":10,\"metadata\":{\"description\":\"Specifies the maximum node count of AML Clusters\",\"displayName\":\"Maximum Node Count\"},\"type\":\"Integer\"},\"maxNodeIdleTimeInSecondsBeforeScaleDown\":{\"defaultValue\":900,\"metadata\":{\"description\":\"Specifies the maximum node idle time in seconds before scaledown\",\"displayName\":\"Maximum Node Idle Time in Seconds Before Scaledown\"},\"type\":\"Integer\"},\"minNodeCount\":{\"defaultValue\":0,\"metadata\":{\"description\":\"Specifies the minimum node count of AML Clusters\",\"displayName\":\"Minimum Node Count\"},\"type\":\"Integer\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\"greater\":\"[parameters('maxNodeCount')]\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\"greater\":\"[parameters('minNodeCount')]\"},{\"greater\":\"[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\",\"value\":\"[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "display_name": "Enforces high business impact Azure Machine Learning Workspaces", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-HbiWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\"notEquals\":true}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "display_name": "Deny public acces behind vnet to Azure Machine Learning workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\"notEquals\":false}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Denies public network access for Azure Machine Learning workspaces.", + "display_name": "Azure Machine Learning should have disabled public network access", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-PublicNetworkAccess", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\"notEquals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "MySQL database servers enforce SSL connections.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MySql-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "PostgreSQL database servers enforce SSL connection.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.1\"}", + "mode": "Indexed", + "name": "Deny-PostgreSql-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "display_name": "Deny the creation of private DNS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Private-DNS-Zones", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/privateDnsZones\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "display_name": "Public network access should be disabled for MariaDB", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-PublicEndpoint-MariaDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\"notequals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "display_name": "Deny the creation of public IP", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-PublicIP", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/publicIPAddresses\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet", + "display_name": "RDP access from the Internet should be blocked", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deny-RDP-From-Internet", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\",\"field\":\"type\"},{\"allOf\":[{\"equals\":\"Allow\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\"},{\"equals\":\"Inbound\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\"},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"3389\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"true\",\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"equals\":\"true\",\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"equals\":\"Internet\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "display_name": "Azure Cache for Redis only secure connections should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Redis-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select minimum TLS version for Azure Cache for Redis.\",\"displayName\":\"Select minumum TLS version for Azure Cache for Redis.\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"},{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "display_name": "Azure SQL Database should have the minimal TLS version set to the highest version", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Sql-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "display_name": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-SqlMi-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "display_name": "Storage Account set to minumum TLS and Secure transfer should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Storage-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"allOf\":[{\"less\":\"2019-04-01\",\"value\":\"[requestContext().apiVersion]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "display_name": "Subnets should have a Network Security Group", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", + "mode": "All", + "name": "Deny-Subnet-Without-Nsg", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"GatewaySubnet\",\"AzureFirewallSubnet\",\"AzureFirewallManagementSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "display_name": "Subnets should have a User Defined Route", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", + "mode": "All", + "name": "Deny-Subnet-Without-Udr", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"AzureBastionSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/routeTable.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "display_name": "Deny vNet peering cross subscription.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", + "mode": "All", + "name": "Deny-VNET-Peer-Cross-Sub", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\"notcontains\":\"[subscription().id]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "display_name": "Deny vNet peering ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", + "mode": "All", + "name": "Deny-VNet-Peering", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Azure Security Center Security Contacts", + "display_name": "Deploy Azure Security Center Security Contacts", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Security Center\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-ASC-SecurityContacts", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Azure Security Center contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"emailSecurityContact\":{\"metadata\":{\"description\":\"Security contacts email address\"},\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2020-01-01-preview\",\"name\":\"default\",\"properties\":{\"alertNotifications\":{\"minimalSeverity\":\"High\",\"state\":\"On\"},\"emails\":\"[parameters('emailSecurityContact')]\",\"notificationsByRole\":{\"roles\":[\"Owner\"],\"state\":\"On\"}},\"type\":\"Microsoft.Security/securityContacts\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"contains\":\"[parameters('emailSecurityContact')]\",\"field\":\"Microsoft.Security/securityContacts/email\"},{\"equals\":\"Microsoft.Security/securityContacts\",\"field\":\"type\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertNotifications\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"type\":\"Microsoft.Security/securityContacts\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "display_name": "Deploy a default budget on all subscriptions under the assigned scope", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.1.0\"}", + "mode": "All", + "name": "Deploy-Budget", + "parameters": "{\"amount\":{\"defaultValue\":\"1000\",\"metadata\":{\"description\":\"The total amount of cost or usage to track with the budget\"},\"type\":\"String\"},\"budgetName\":{\"defaultValue\":\"budget-set-by-policy\",\"metadata\":{\"description\":\"The name for the budget to be created\"},\"type\":\"String\"},\"contactEmails\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"contactGroups\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"},\"type\":\"Array\"},\"contactRoles\":{\"defaultValue\":[\"Owner\",\"Contributor\"],\"metadata\":{\"description\":\"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\"},\"type\":\"String\"},\"firstThreshold\":{\"defaultValue\":\"90\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"secondThreshold\":{\"defaultValue\":\"100\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"timeGrain\":{\"allowedValues\":[\"Monthly\",\"Quarterly\",\"Annually\",\"BillingMonth\",\"BillingQuarter\",\"BillingAnnual\"],\"defaultValue\":\"Monthly\",\"metadata\":{\"description\":\"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"amount\":{\"value\":\"[parameters('amount')]\"},\"budgetName\":{\"value\":\"[parameters('budgetName')]\"},\"contactEmails\":{\"value\":\"[parameters('contactEmails')]\"},\"contactGroups\":{\"value\":\"[parameters('contactGroups')]\"},\"contactRoles\":{\"value\":\"[parameters('contactRoles')]\"},\"firstThreshold\":{\"value\":\"[parameters('firstThreshold')]\"},\"secondThreshold\":{\"value\":\"[parameters('secondThreshold')]\"},\"timeGrain\":{\"value\":\"[parameters('timeGrain')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"amount\":{\"type\":\"String\"},\"budgetName\":{\"type\":\"String\"},\"contactEmails\":{\"type\":\"Array\"},\"contactGroups\":{\"type\":\"Array\"},\"contactRoles\":{\"type\":\"Array\"},\"firstThreshold\":{\"type\":\"String\"},\"secondThreshold\":{\"type\":\"String\"},\"startDate\":{\"defaultValue\":\"[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\",\"type\":\"String\"},\"timeGrain\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[parameters('budgetName')]\",\"properties\":{\"amount\":\"[parameters('amount')]\",\"category\":\"Cost\",\"notifications\":{\"NotificationForExceededBudget1\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('firstThreshold')]\"},\"NotificationForExceededBudget2\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('secondThreshold')]\"}},\"timeGrain\":\"[parameters('timeGrain')]\",\"timePeriod\":{\"startDate\":\"[parameters('startDate')]\"}},\"type\":\"Microsoft.Consumption/budgets\"}]}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('amount')]\",\"field\":\"Microsoft.Consumption/budgets/amount\"},{\"equals\":\"[parameters('timeGrain')]\",\"field\":\"Microsoft.Consumption/budgets/timeGrain\"},{\"equals\":\"Cost\",\"field\":\"Microsoft.Consumption/budgets/category\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Consumption/budgets\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "display_name": "Deploy a route table with specific user defined routes", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Custom-Route-Table", + "parameters": "{\"disableBgpPropagation\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Disable BGP Propagation\",\"displayName\":\"DisableBgpPropagation\"},\"type\":\"Boolean\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"requiredRoutes\":{\"metadata\":{\"description\":\"Routes that must exist in compliant route tables deployed by this policy\",\"displayName\":\"requiredRoutes\"},\"type\":\"Array\"},\"routeTableName\":{\"metadata\":{\"description\":\"Name of the route table automatically deployed by this policy\",\"displayName\":\"routeTableName\"},\"type\":\"String\"},\"vnetRegion\":{\"metadata\":{\"description\":\"Only VNets in this region will be evaluated against this policy\",\"displayName\":\"vnetRegion\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"equals\":\"[parameters('vnetRegion')]\",\"field\":\"location\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"name\":\"routeTableDepl\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"location\":\"[[parameters('vnetRegion')]\",\"name\":\"[[parameters('routeTableName')]\",\"properties\":{\"copy\":\"[variables('copyLoop')]\",\"disableBgpRoutePropagation\":\"[[parameters('disableBgpPropagation')]\"},\"type\":\"Microsoft.Network/routeTables\"}]}},\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"copyLoop\":[{\"count\":\"[[length(parameters('requiredRoutes'))]\",\"input\":{\"name\":\"[[concat('route-',copyIndex('routes'))]\",\"properties\":{\"addressPrefix\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\"nextHopIpAddress\":\"[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\",\"nextHopType\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\"}},\"name\":\"routes\"}]}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('routeTableName')]\",\"field\":\"name\"},{\"count\":{\"field\":\"Microsoft.Network/routeTables/routes[*]\",\"where\":{\"in\":\"[parameters('requiredRoutes')]\",\"value\":\"[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\"}},\"equals\":\"[length(parameters('requiredRoutes'))]\"}]},\"roleDefinitionIds\":[\"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/routeTables\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys an Azure DDoS Protection Standard plan", + "display_name": "Deploy an Azure DDoS Protection Standard plan", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-DDoSProtection", + "parameters": "{\"ddosName\":{\"metadata\":{\"description\":\"DDoSVnet\",\"displayName\":\"ddosName\"},\"type\":\"String\"},\"ddosRegion\":{\"metadata\":{\"description\":\"DDoSVnet location\",\"displayName\":\"ddosRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"ddosname\":{\"value\":\"[parameters('ddosname')]\"},\"ddosregion\":{\"value\":\"[parameters('ddosRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"ddosRegion\":{\"type\":\"String\"},\"ddosname\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"ddosprotection\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-12-01\",\"location\":\"[parameters('ddosRegion')]\",\"name\":\"[parameters('ddosName')]\",\"properties\":{},\"type\":\"Microsoft.Network/ddosProtectionPlans\"}]}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('ddosName')]\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/ddosProtectionPlans\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-AA", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Automation/automationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"JobLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobStreams\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DscNodeStatus\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "display_name": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ACI", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerInstance/containerGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "display_name": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ACR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerRegistry/registries\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ContainerRegistryLoginEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ContainerRegistryRepositoryEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-APIMgmt", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ApiManagement/service\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ApiManagement/service/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-AnalysisService", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.AnalysisServices/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Service\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ApiForFHIR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HealthcareApis/services\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HealthcareApis/services/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ApplicationGateway", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ApplicationGatewayAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayPerformanceLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/applicationGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CDNEndpoints", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cdn/profiles/endpoints\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"CoreAnalytics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CognitiveServices", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.CognitiveServices/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RequestResponse\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Trace\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CosmosDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DocumentDB/databaseAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DataPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MongoRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyRUConsumption\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ControlPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CassandraRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"GremlinRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Requests\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DLAnalytics", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataLakeAnalytics/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DataExplorerCluster", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Kusto/Clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"SucceededIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FailedIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IngestionBatching\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Command\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Query\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableUsageStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableDetails\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Kusto/Clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DataFactory", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataFactory/factories\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ActivityRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PipelineRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TriggerRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessages\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutableStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessageContext\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionComponentPhases\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionDataStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISIntegrationRuntimeLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataFactory/factories/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Databricks", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"dbfs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"clusters\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"accounts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"jobs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"notebook\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ssh\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"workspace\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"secrets\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"sqlPermissions\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"instancePools\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Databricks/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridSub", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/eventSubscriptions\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/systemTopics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridTopic", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/topics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PublishFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/topics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ExpressRoute", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/expressRouteCircuits\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PeeringRouteLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Firewall", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/azureFirewalls\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AzureFirewallApplicationRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallNetworkRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallDnsProxy\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-FrontDoor", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/frontDoors\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FrontdoorAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/frontDoors/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Function", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"contains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FunctionAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-HDInsight", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HDInsight/clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HDInsight/clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-LoadBalancer", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/loadBalancers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"LoadBalancerAlertEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"LoadBalancerProbeHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/loadBalancers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-LogicAppsISE", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Logic/integrationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"IntegrationAccountTrackingEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MariaDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MediaService", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Media/mediaServices\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"KeyDeliveryRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Media/mediaServices/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MlWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AmlComputeClusterEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeClusterNodeEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeJobEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeCpuGpuUtilization\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlRunStatusChangedEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Run\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Model\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":true}},{\"category\":\"Quota\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Resource\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MySQL", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-NIC", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkInterfaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-PostgreSQL", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PostgreSQLLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.PowerBIDedicated/capacities\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-RedisCache", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cache/redis/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Relay", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Relay/namespaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"HybridConnectionsEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Relay/namespaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SQLElasticPools", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/elasticPools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SQLMI", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ResourceUsageStats\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DevOpsOperationsAudit\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/managedInstances/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SignalR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.SignalRService/SignalR\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AllLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.TimeSeriesInsights/environments\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Ingress\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-TrafficManager", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/trafficManagerProfiles\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ProbeHealthStatusEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VM", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VMSS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "display_name": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VNetGW", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworkGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IKEDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"P2SDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TunnelDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VirtualNetwork", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"VMProtectionAlerts\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDAppGroup", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/applicationGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDHostPools", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/hostpools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Connection\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"HostRegistration\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AgentHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Feed\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WebServerFarm", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Web/serverfarms\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/serverfarms/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Website", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"notContains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AppServiceAntivirusScanAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceConsoleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceFileAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceIPSecAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServicePlatformLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-iotHub", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Devices/IotHubs\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Connections\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceTelemetry\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DCommands\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceIdentityOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FileUploadOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Routes\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"D2CTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TwinQueries\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobsOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DirectMethods\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DistributedTracing\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Configurations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceStreams\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Devices/IotHubs/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "display_name": "Deploy Azure Firewall Manager policy in the subscription", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-FirewallPolicy", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"fwPolicyRegion\":{\"metadata\":{\"description\":\"Select Azure region for Azure Firewall Policy\",\"displayName\":\"fwPolicyRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"fwpolicy\":{\"defaultValue\":{},\"metadata\":{\"description\":\"Object describing Azure Firewall Policy\",\"displayName\":\"fwpolicy\"},\"type\":\"Object\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"fwPolicy\":{\"value\":\"[parameters('fwPolicy')]\"},\"fwPolicyRegion\":{\"value\":\"[parameters('fwPolicyRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"fwPolicy\":{\"type\":\"object\"},\"fwPolicyRegion\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"fwpolicies\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[],\"location\":\"[parameters('fwpolicy').location]\",\"name\":\"[parameters('fwpolicy').firewallPolicyName]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[\"[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"],\"name\":\"[parameters('fwpolicy').ruleGroups.name]\",\"properties\":{\"priority\":\"[parameters('fwpolicy').ruleGroups.properties.priority]\",\"rules\":\"[parameters('fwpolicy').ruleGroups.properties.rules]\"},\"type\":\"ruleGroups\"}],\"tags\":{},\"type\":\"Microsoft.Network/firewallPolicies\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/firewallPolicies\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-MySQL-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\",\"displayName\":\"Effect minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforMySQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforMySQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", + "display_name": "Deploys NSG flow logs and traffic analytics", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Nsg-FlowLogs", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"flowAnalyticsEnabled\":{\"defaultValue\":false,\"metadata\":{\"displayName\":\"Enable Traffic Analytics\"},\"type\":\"Boolean\"},\"logAnalytics\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"storageAccountResourceId\":{\"metadata\":{\"displayName\":\"Storage Account Resource Id\",\"strongType\":\"Microsoft.Storage/storageAccounts\"},\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"flowAnalyticsEnabled\":{\"value\":\"[parameters('flowAnalyticsEnabled')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"networkSecurityGroupName\":{\"value\":\"[field('name')]\"},\"resourceGroupName\":{\"value\":\"[resourceGroup().name]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"storageAccountResourceId\":{\"value\":\"[parameters('storageAccountResourceId')]\"},\"trafficAnalyticsInterval\":{\"value\":\"[parameters('trafficAnalyticsInterval')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"flowAnalyticsEnabled\":{\"type\":\"bool\"},\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"networkSecurityGroupName\":{\"type\":\"String\"},\"resourceGroupName\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"storageAccountResourceId\":{\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"type\":\"int\"}},\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":\"[bool(parameters('flowAnalyticsEnabled'))]\",\"trafficAnalyticsInterval\":\"[parameters('trafficAnalyticsInterval')]\",\"workspaceId\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\"workspaceRegion\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\"workspaceResourceId\":\"[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[parameters('storageAccountResourceId')]\",\"targetResourceId\":\"[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\"},\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"},{\"equals\":\"[parameters('flowAnalyticsEnabled')]\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\"}]},\"resourceGroupName\":\"NetworkWatcherRG\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "display_name": "Deploys NSG flow logs and traffic analytics to Log Analytics", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.1.0\"}", + "mode": "Indexed", + "name": "Deploy-Nsg-FlowLogs-to-LA", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"interval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"workspace\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"interval\":{\"value\":\"[parameters('interval')]\"},\"location\":{\"value\":\"[field('location')]\"},\"networkSecurityGroup\":{\"value\":\"[field('id')]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"workspace\":{\"value\":\"[parameters('workspace')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"interval\":{\"type\":\"int\"},\"location\":{\"type\":\"String\"},\"networkSecurityGroup\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"time\":{\"defaultValue\":\"[utcNow()]\",\"type\":\"String\"},\"workspace\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2019-06-01\",\"kind\":\"StorageV2\",\"location\":\"[parameters('location')]\",\"name\":\"[variables('storageAccountName')]\",\"properties\":{},\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"type\":\"Microsoft.Storage/storageAccounts\"}]}},\"resourceGroup\":\"[variables('resourceGroupName')]\",\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2019-10-01\",\"dependsOn\":[\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"],\"name\":\"[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat('NetworkWatcher_', toLower(parameters('location')))]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-11-01\",\"dependsOn\":[\"[concat('NetworkWatcher_', toLower(parameters('location')))]\"],\"location\":\"[parameters('location')]\",\"name\":\"[concat(variables('securityGroupName'), '-Network-flowlog')]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":true,\"trafficAnalyticsInterval\":\"[parameters('interval')]\",\"workspaceResourceId\":\"[parameters('workspace')]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\"targetResourceId\":\"[parameters('networkSecurityGroup')]\"},\"type\":\"flowLogs\"}],\"type\":\"Microsoft.Network/networkWatchers\"}]}},\"resourceGroup\":\"NetworkWatcherRG\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"resourceGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[4]]\",\"securityGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[8]]\",\"storageAccountName\":\"[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\"resourceGroupName\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/networkWatchers/flowlogs\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-PostgreSQL-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\",\"displayName\":\"Effect Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notEquals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "SQL servers deploys a specific min TLS version requirement.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-SQL-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "display_name": "Deploy SQL database auditing settings", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-AuditingSettings", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"auditActionsAndGroups\":[\"BATCH_COMPLETED_GROUP\",\"DATABASE_OBJECT_CHANGE_GROUP\",\"SCHEMA_OBJECT_CHANGE_GROUP\",\"BACKUP_RESTORE_GROUP\",\"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\"DATABASE_PRINCIPAL_CHANGE_GROUP\",\"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"USER_CHANGE_PASSWORD_GROUP\",\"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\"DATABASE_PERMISSION_CHANGE_GROUP\",\"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\"FAILED_DATABASE_AUTHENTICATION_GROUP\"],\"isAzureMonitorTargetEnabled\":true,\"state\":\"enabled\"},\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"enabled\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/state\"},{\"equals\":\"true\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\"}]},\"name\":\"default\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "display_name": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-SecurityAlertPolicies", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-06-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"disabledAlerts\":[\"\"],\"emailAccountAdmins\":true,\"emailAddresses\":[\"admin@contoso.com\"],\"retentionDays\":0,\"state\":\"Enabled\",\"storageAccountAccessKey\":\"\",\"storageEndpoint\":null},\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/servers/databases/securityAlertPolicies/state\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "display_name": "Deploy SQL Database Transparent Data Encryption ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-Tde", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2014-04-01\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\"properties\":{\"status\":\"Enabled\"},\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/transparentDataEncryption.status\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "display_name": "Deploy SQL Database vulnerability Assessments", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-vulnerabilityAssessments", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"recurringScans\":{\"emailSubscriptionAdmins\":false,\"emails\":[\"[parameters('vulnerabilityAssessmentsEmail')]\"],\"isEnabled\":true},\"storageAccountAccessKey\":\"[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\"storageContainerPath\":\"[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\"},\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('vulnerabilityAssessmentsEmail')]\",\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\"},{\"equals\":true,\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\"],\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "SQL managed instances deploy a specific min TLS version requirement.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-SqlMi-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2020-02-02-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/managedInstances\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/managedInstances\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Storage-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure STorage\",\"displayName\":\"Effect Azure STorage\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure STorage to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notEquals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('minimumTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimumTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimumTlsVersion\":\"[parameters('minimumTlsVersion')]\",\"supportsHttpsTrafficOnly\":true},\"type\":\"Microsoft.Storage/storageAccounts\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"equals\":\"[parameters('minimumTlsVersion')]\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy deploys virtual network and peer to the hub", + "display_name": "Deploy Virtual Network with peering to the hub", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.1.0\"}", + "mode": "All", + "name": "Deploy-VNET-HubSpoke", + "parameters": "{\"dnsServers\":{\"defaultValue\":[],\"metadata\":{\"description\":\"Default domain servers for the vNET.\",\"displayName\":\"DNSServers\"},\"type\":\"Array\"},\"hubResourceId\":{\"metadata\":{\"description\":\"Resource ID for the HUB vNet\",\"displayName\":\"hubResourceId\"},\"type\":\"String\"},\"vNetCidrRange\":{\"metadata\":{\"description\":\"CIDR Range for the vNet\",\"displayName\":\"vNetCidrRange\"},\"type\":\"String\"},\"vNetLocation\":{\"metadata\":{\"description\":\"Location for the vNet\",\"displayName\":\"vNetLocation\"},\"type\":\"String\"},\"vNetName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet\",\"displayName\":\"vNetName\"},\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Enable gateway transit for the LZ network\",\"displayName\":\"vNetPeerUseRemoteGateway\"},\"type\":\"Boolean\"},\"vNetRgName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet RG\",\"displayName\":\"vNetRgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"ResourceGroupName\":\"[parameters('vNetRgName')]\",\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"dnsServers\":{\"value\":\"[parameters('dnsServers')]\"},\"hubResourceId\":{\"value\":\"[parameters('hubResourceId')]\"},\"vNetCidrRange\":{\"value\":\"[parameters('vNetCidrRange')]\"},\"vNetLocation\":{\"value\":\"[parameters('vNetLocation')]\"},\"vNetName\":{\"value\":\"[parameters('vNetName')]\"},\"vNetPeerUseRemoteGateway\":{\"value\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"vNetRgName\":{\"value\":\"[parameters('vNetRgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"dnsServers\":{\"defaultValue\":[],\"type\":\"Array\"},\"hubResourceId\":{\"type\":\"String\"},\"vNetCidrRange\":{\"type\":\"String\"},\"vNetLocation\":{\"type\":\"String\"},\"vNetName\":{\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"type\":\"bool\"},\"vNetRgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetRgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"}],\"variables\":{}}},\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\"],\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetName')]\",\"properties\":{\"addressSpace\":{\"addressPrefixes\":[\"[parameters('vNetCidrRange')]\"]},\"dhcpOptions\":{\"dnsServers\":\"[parameters('dnsServers')]\"}},\"type\":\"Microsoft.Network/virtualNetworks\"},{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat(parameters('vNetName'), '/peerToHub')]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":false,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[parameters('hubResourceId')]\"},\"useRemoteGateways\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]\",\"properties\":{\"expressionEvaluationOptions\":{\"scope\":\"inner\"},\"mode\":\"Incremental\",\"parameters\":{\"hubName\":{\"value\":\"[split(parameters('hubResourceId'),'/')[8]]\"},\"remoteVirtualNetwork\":{\"value\":\"[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"hubName\":{\"defaultValue\":false,\"type\":\"String\"},\"remoteVirtualNetwork\":{\"defaultValue\":false,\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"name\":\"[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":true,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[[parameters('remoteVirtualNetwork')]\"},\"useRemoteGateways\":false},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"}],\"variables\":{}}},\"resourceGroup\":\"[split(parameters('hubResourceId'),'/')[4]]\",\"subscriptionId\":\"[split(parameters('hubResourceId'),'/')[2]]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('vNetRgName')]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"name\",\"like\":\"[parameters('vNetName')]\"},{\"equals\":\"[parameters('vNetLocation')]\",\"field\":\"location\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('vNetName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/virtualNetworks\"},\"effect\":\"deployIfNotExists\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "display_name": "Deploy Windows Domain Join Extension with keyvault configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Guest Configuration\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Windows-DomainJoin", + "parameters": "{\"domainFQDN\":{\"metadata\":{\"displayName\":\"domainFQDN\"},\"type\":\"String\"},\"domainOUPath\":{\"metadata\":{\"displayName\":\"domainOUPath\"},\"type\":\"String\"},\"domainPassword\":{\"metadata\":{\"displayName\":\"domainPassword\"},\"type\":\"String\"},\"domainUsername\":{\"metadata\":{\"displayName\":\"domainUsername\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"keyVaultResourceId\":{\"metadata\":{\"displayName\":\"keyVaultResourceId\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},{\"equals\":\"MicrosoftWindowsServer\",\"field\":\"Microsoft.Compute/imagePublisher\"},{\"equals\":\"WindowsServer\",\"field\":\"Microsoft.Compute/imageOffer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2008-R2-SP1-zhcn\",\"2012-Datacenter\",\"2012-datacenter-gensecond\",\"2012-Datacenter-smalldisk\",\"2012-datacenter-smalldisk-g2\",\"2012-Datacenter-zhcn\",\"2012-datacenter-zhcn-g2\",\"2012-R2-Datacenter\",\"2012-r2-datacenter-gensecond\",\"2012-R2-Datacenter-smalldisk\",\"2012-r2-datacenter-smalldisk-g2\",\"2012-R2-Datacenter-zhcn\",\"2012-r2-datacenter-zhcn-g2\",\"2016-Datacenter\",\"2016-datacenter-gensecond\",\"2016-datacenter-gs\",\"2016-Datacenter-Server-Core\",\"2016-datacenter-server-core-g2\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-datacenter-server-core-smalldisk-g2\",\"2016-Datacenter-smalldisk\",\"2016-datacenter-smalldisk-g2\",\"2016-Datacenter-with-Containers\",\"2016-datacenter-with-containers-g2\",\"2016-Datacenter-with-RDSH\",\"2016-Datacenter-zhcn\",\"2016-datacenter-zhcn-g2\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-datacenter-core-g2\",\"2019-Datacenter-Core-smalldisk\",\"2019-datacenter-core-smalldisk-g2\",\"2019-Datacenter-Core-with-Containers\",\"2019-datacenter-core-with-containers-g2\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-datacenter-core-with-containers-smalldisk-g2\",\"2019-datacenter-gensecond\",\"2019-datacenter-gs\",\"2019-Datacenter-smalldisk\",\"2019-datacenter-smalldisk-g2\",\"2019-Datacenter-with-Containers\",\"2019-datacenter-with-containers-g2\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-datacenter-with-containers-smalldisk-g2\",\"2019-Datacenter-zhcn\",\"2019-datacenter-zhcn-g2\",\"Datacenter-Core-1803-with-Containers-smalldisk\",\"datacenter-core-1803-with-containers-smalldisk-g2\",\"Datacenter-Core-1809-with-Containers-smalldisk\",\"datacenter-core-1809-with-containers-smalldisk-g2\",\"Datacenter-Core-1903-with-Containers-smalldisk\",\"datacenter-core-1903-with-containers-smalldisk-g2\",\"datacenter-core-1909-with-containers-smalldisk\",\"datacenter-core-1909-with-containers-smalldisk-g1\",\"datacenter-core-1909-with-containers-smalldisk-g2\"]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"domainFQDN\":{\"value\":\"[parameters('domainFQDN')]\"},\"domainOUPath\":{\"value\":\"[parameters('domainOUPath')]\"},\"domainPassword\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainPassword')]\"}},\"domainUsername\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainUsername')]\"}},\"keyVaultResourceId\":{\"value\":\"[parameters('keyVaultResourceId')]\"},\"location\":{\"value\":\"[field('location')]\"},\"vmName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"domainFQDN\":{\"type\":\"String\"},\"domainOUPath\":{\"type\":\"String\"},\"domainPassword\":{\"type\":\"securestring\"},\"domainUsername\":{\"type\":\"String\"},\"keyVaultResourceId\":{\"type\":\"String\"},\"location\":{\"type\":\"String\"},\"vmName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2015-06-15\",\"location\":\"[resourceGroup().location]\",\"name\":\"[concat(variables('vmName'),'/joindomain')]\",\"properties\":{\"autoUpgradeMinorVersion\":true,\"protectedSettings\":{\"Password\":\"[parameters('domainPassword')]\"},\"publisher\":\"Microsoft.Compute\",\"settings\":{\"Name\":\"[parameters('domainFQDN')]\",\"OUPath\":\"[parameters('domainOUPath')]\",\"Options\":\"[variables('domainJoinOptions')]\",\"Restart\":\"true\",\"User\":\"[parameters('domainUserName')]\"},\"type\":\"JsonADDomainExtension\",\"typeHandlerVersion\":\"1.3\"},\"type\":\"Microsoft.Compute/virtualMachines/extensions\"}],\"variables\":{\"domainJoinOptions\":3,\"vmName\":\"[parameters('vmName')]\"}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"JsonADDomainExtension\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\"},{\"equals\":\"Microsoft.Compute\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "display_name": "Public network access should be disabled for PaaS services", + "management_group_id": "root-id-1", + "name": "Deny-PublicPaaSEndpoints", + "parameters": "{\"ACRPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Container Registires with exposed public endpoints \",\"displayName\":\"Public network access on Azure Container Registry disabled\"},\"type\":\"String\"},\"AFSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure File Sync instances with exposed public endpoints \",\"displayName\":\"Public network access on Azure File Sync disabled\"},\"type\":\"String\"},\"AKSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Kubernetes Service non-private clusters\",\"displayName\":\"Public network access on AKS API should be disabled\"},\"type\":\"String\"},\"BatchPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Azure Batch Instances with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for Azure Batch Instances\"},\"type\":\"String\"},\"CosmosPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies that Cosmos database accounts are created with out public network access is disabled.\",\"displayName\":\"Public network access should be disabled for CosmosDB\"},\"type\":\"String\"},\"KeyVaultPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access should be disabled for KeyVault\"},\"type\":\"String\"},\"MySQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for MySQL Flexible Server\"},\"type\":\"String\"},\"PostgreSQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for PostgreSql Flexible Server\"},\"type\":\"String\"},\"SqlServerPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Sql servers with exposed public endpoints\",\"displayName\":\"Public network access on Azure SQL Database should be disabled\"},\"type\":\"String\"},\"StoragePublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access onStorage accounts should be disabled\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "policy_group_names": null, + "reference_id": "CosmosDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "policy_group_names": null, + "reference_id": "KeyVaultDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "policy_group_names": null, + "reference_id": "SqlServerDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StoragePublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policy_group_names": null, + "reference_id": "StorageDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policy_group_names": null, + "reference_id": "AKSDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "policy_group_names": null, + "reference_id": "ACRDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AFSPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "policy_group_names": null, + "reference_id": "AFSDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "policy_group_names": null, + "reference_id": "PostgreSQLFlexDenyPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLFlexPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "policy_group_names": null, + "reference_id": "MySQLFlexDenyPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "policy_group_names": null, + "reference_id": "BatchDenyPublicIP" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "display_name": "Deploy Diagnostic Settings to Azure Services", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "name": "Deploy-Diagnostics-LogAnalytics", + "parameters": "{\"ACILogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\"},\"type\":\"String\"},\"ACRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\"},\"type\":\"String\"},\"AKSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\"},\"type\":\"String\"},\"APIMgmtLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for API Management to Log Analytics workspace\"},\"type\":\"String\"},\"APIforFHIRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\"},\"type\":\"String\"},\"AnalysisServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceWebappLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service to Log Analytics workspace\"},\"type\":\"String\"},\"ApplicationGatewayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"AutomationLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Automation to Log Analytics workspace\"},\"type\":\"String\"},\"BatchLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Batch to Log Analytics workspace\"},\"type\":\"String\"},\"CDNEndpointsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\"},\"type\":\"String\"},\"CognitiveServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\"},\"type\":\"String\"},\"CosmosLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\"},\"type\":\"String\"},\"DataExplorerClusterLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\"},\"type\":\"String\"},\"DataFactoryLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeStoreLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\"},\"type\":\"String\"},\"DatabricksLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridSubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\"},\"type\":\"String\"},\"EventHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\"},\"type\":\"String\"},\"EventSystemTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\"},\"type\":\"String\"},\"ExpressRouteLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\"},\"type\":\"String\"},\"FirewallLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\"},\"type\":\"String\"},\"FrontDoorLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\"},\"type\":\"String\"},\"FunctionAppLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\"},\"type\":\"String\"},\"HDInsightLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\"},\"type\":\"String\"},\"IotHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\"},\"type\":\"String\"},\"KeyVaultLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\"},\"type\":\"String\"},\"LoadBalancerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsISELogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsWFLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\"},\"type\":\"String\"},\"MariaDBLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\"},\"type\":\"String\"},\"MediaServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\"},\"type\":\"String\"},\"MlWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\"},\"type\":\"String\"},\"MySQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkNICLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkPublicIPNicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkSecurityGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\"},\"type\":\"String\"},\"PostgreSQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\"},\"type\":\"String\"},\"PowerBIEmbeddedLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\"},\"type\":\"String\"},\"RedisCacheLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\"},\"type\":\"String\"},\"RelayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Relay to Log Analytics workspace\"},\"type\":\"String\"},\"SQLDBsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\"},\"type\":\"String\"},\"SQLElasticPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\"},\"type\":\"String\"},\"SQLMLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\"},\"type\":\"String\"},\"SearchServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\"},\"type\":\"String\"},\"ServiceBusLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\"},\"type\":\"String\"},\"SignalRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\"},\"type\":\"String\"},\"StorageAccountsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\"},\"type\":\"String\"},\"StreamAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"TimeSeriesInsightsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\"},\"type\":\"String\"},\"TrafficManagerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\"},\"type\":\"String\"},\"VMSSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\"},\"type\":\"String\"},\"VNetGWLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualMachinesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualNetworkLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\"},\"type\":\"String\"},\"WVDAppGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace\"},\"type\":\"String\"},\"WVDHostPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace\"},\"type\":\"String\"},\"WVDWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageAccountsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", + "policy_group_names": null, + "reference_id": "StorageAccountDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDAppGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "policy_group_names": null, + "reference_id": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "policy_group_names": null, + "reference_id": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDHostPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "policy_group_names": null, + "reference_id": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACILogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "policy_group_names": null, + "reference_id": "ACIDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "policy_group_names": null, + "reference_id": "ACRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('AKSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "policy_group_names": null, + "reference_id": "AKSDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AnalysisServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "policy_group_names": null, + "reference_id": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIforFHIRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "policy_group_names": null, + "reference_id": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIMgmtLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "policy_group_names": null, + "reference_id": "APIMgmtDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ApplicationGatewayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "policy_group_names": null, + "reference_id": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AutomationLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "policy_group_names": null, + "reference_id": "AutomationDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "policy_group_names": null, + "reference_id": "BatchDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CDNEndpointsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "policy_group_names": null, + "reference_id": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "policy_group_names": null, + "reference_id": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "policy_group_names": null, + "reference_id": "CosmosDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DatabricksLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "policy_group_names": null, + "reference_id": "DatabricksDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataExplorerClusterLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "policy_group_names": null, + "reference_id": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataFactoryLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "policy_group_names": null, + "reference_id": "DataFactoryDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeStoreLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "policy_group_names": null, + "reference_id": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "policy_group_names": null, + "reference_id": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridSubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "policy_group_names": null, + "reference_id": "EventGridSubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "policy_group_names": null, + "reference_id": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "policy_group_names": null, + "reference_id": "EventHubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventSystemTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "policy_group_names": null, + "reference_id": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ExpressRouteLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "policy_group_names": null, + "reference_id": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FirewallLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "policy_group_names": null, + "reference_id": "FirewallDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FrontDoorLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "policy_group_names": null, + "reference_id": "FrontDoorDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionAppLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "policy_group_names": null, + "reference_id": "FunctionAppDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('HDInsightLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "policy_group_names": null, + "reference_id": "HDInsightDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('IotHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "policy_group_names": null, + "reference_id": "IotHubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "policy_group_names": null, + "reference_id": "KeyVaultDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LoadBalancerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "policy_group_names": null, + "reference_id": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsISELogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "policy_group_names": null, + "reference_id": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsWFLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "policy_group_names": null, + "reference_id": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MariaDBLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "policy_group_names": null, + "reference_id": "MariaDBDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MediaServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "policy_group_names": null, + "reference_id": "MediaServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MlWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "policy_group_names": null, + "reference_id": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "policy_group_names": null, + "reference_id": "MySQLDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "policy_group_names": null, + "reference_id": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkNICLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "policy_group_names": null, + "reference_id": "NetworkNICDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "policy_group_names": null, + "reference_id": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "policy_group_names": null, + "reference_id": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"True\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "policy_group_names": null, + "reference_id": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "policy_group_names": null, + "reference_id": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisCacheLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "policy_group_names": null, + "reference_id": "RedisCacheDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RelayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "policy_group_names": null, + "reference_id": "RelayDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SearchServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "policy_group_names": null, + "reference_id": "SearchServicesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ServiceBusLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "policy_group_names": null, + "reference_id": "ServiceBusDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SignalRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "policy_group_names": null, + "reference_id": "SignalRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('SQLDBsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "policy_group_names": null, + "reference_id": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "policy_group_names": null, + "reference_id": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLMLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "policy_group_names": null, + "reference_id": "SQLMDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "policy_group_names": null, + "reference_id": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "policy_group_names": null, + "reference_id": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('TrafficManagerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "policy_group_names": null, + "reference_id": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualNetworkLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "policy_group_names": null, + "reference_id": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualMachinesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "policy_group_names": null, + "reference_id": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VMSSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "policy_group_names": null, + "reference_id": "VMSSDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VNetGWLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "policy_group_names": null, + "reference_id": "VNetGWDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "policy_group_names": null, + "reference_id": "AppServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceWebappLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "policy_group_names": null, + "reference_id": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Microsoft Defender for Cloud configuration", + "display_name": "Deploy Microsoft Defender for Cloud configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Security Center\",\"version\":\"3.0.0\"}", + "name": "Deploy-MDFC-Config", + "parameters": "{\"ascExportResourceGroupLocation\":{\"metadata\":{\"description\":\"The location where the resource group and the export to Log Analytics workspace configuration are created.\",\"displayName\":\"Resource Group location for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"ascExportResourceGroupName\":{\"metadata\":{\"description\":\"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\",\"displayName\":\"Resource Group name for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Microsoft Defender for Cloud contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"},\"enableAscForAppServices\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForArm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForContainers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForDns\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForKeyVault\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForOssDb\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForServers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSql\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSqlOnVm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForStorage\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Primary Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForOssDb')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "policy_group_names": null, + "reference_id": "defenderForOssDb" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForServers')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "policy_group_names": null, + "reference_id": "defenderForVM" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSqlOnVm')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "policy_group_names": null, + "reference_id": "defenderForSqlServerVirtualMachines" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForAppServices')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "policy_group_names": null, + "reference_id": "defenderForAppServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForStorage')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "policy_group_names": null, + "reference_id": "defenderForStorageAccounts" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForContainers')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "policy_group_names": null, + "reference_id": "defenderforContainers" + }, + { + "parameter_values": "{\"Effect\":{\"value\":\"[parameters('enableAscForKeyVault')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "policy_group_names": null, + "reference_id": "defenderForKeyVaults" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForDns')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "policy_group_names": null, + "reference_id": "defenderForDns" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForArm')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "policy_group_names": null, + "reference_id": "defenderForArm" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSql')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "policy_group_names": null, + "reference_id": "defenderForSqlPaas" + }, + { + "parameter_values": "{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "policy_group_names": null, + "reference_id": "securityEmailContact" + }, + { + "parameter_values": "{\"resourceGroupLocation\":{\"value\":\"[parameters('ascExportResourceGroupLocation')]\"},\"resourceGroupName\":{\"value\":\"[parameters('ascExportResourceGroupName')]\"},\"workspaceResourceId\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "policy_group_names": null, + "reference_id": "ascExport" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "display_name": "Configure Azure PaaS services to use private DNS zones", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "name": "Deploy-Private-DNS-Zones", + "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAcrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAsrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAsrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureBatchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureBatchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveSearchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureDiskAccessPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureDiskAccessPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridDomainsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridTopicsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventHubNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureFilePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureFilePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotHubsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotHubsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureKeyVaultPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureKeyVaultPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureMachineLearningWorkspacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureRedisCachePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureRedisCachePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureServiceBusNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureSignalRPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureSignalRPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureWebPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureWebPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"effect1\":{\"allowedValues\":[\"deployIfNotExists\",\"Disabled\"],\"defaultValue\":\"deployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureFileprivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-File-Sync" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureWebPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Web" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureBatchPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Batch" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-App" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAsrPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Site-Recovery" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-IoT" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureKeyVaultPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-KeyVault" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureSignalRPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-SignalR" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppServicesPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-AppServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventGridTopics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureDiskAccessPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-DiskAccess" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-CognitiveServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotHubsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-IoTHubs" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventGridDomains" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureRedisCachePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-RedisCache" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAcrPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-ACR" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventHubNamespace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-MachineLearningWorkspace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-ServiceBusNamespace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-CognitiveSearch" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "display_name": "Deploy SQL Database built-in SQL security configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "name": "Deploy-Sql-Security", + "parameters": "{\"SqlDbAuditingSettingsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy auditing settings to SQL Database when it not exist in the deployment\",\"displayName\":\"Deploy SQL database auditing settings\"},\"type\":\"String\"},\"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\"displayName\":\"Deploy SQL Database security Alert Policies configuration with email admin accounts\"},\"type\":\"String\"},\"SqlDbTdeDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\"displayName\":\"Deploy SQL Database Transparent Data Encryption \"},\"type\":\"String\"},\"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\"displayName\":\"Deploy SQL Database vulnerability Assessments\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "policy_group_names": null, + "reference_id": "SqlDbTdeDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "policy_group_names": null, + "reference_id": "SqlDbSecurityAlertPoliciesDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "policy_group_names": null, + "reference_id": "SqlDbAuditingSettingsDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "policy_group_names": null, + "reference_id": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", + "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", + "name": "Enforce-EncryptTransit", + "parameters": "{\"AKSIngressHttpsOnlyEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"deny\",\"metadata\":{\"description\":\"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\",\"displayName\":\"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\"},\"type\":\"String\"},\"APIAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"APIAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service API App. Latest TLS version should be used in your API App\"},\"type\":\"String\"},\"AppServiceHttpEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\"},\"type\":\"String\"},\"AppServiceTlsVersionEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\"},\"type\":\"String\"},\"AppServiceminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"App Service. Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"App Service. Select version minimum TLS Web App config\"},\"type\":\"String\"},\"FunctionLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Function App. Latest TLS version should be used in your Function App\"},\"type\":\"String\"},\"FunctionServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"MySQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"MySQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\"},\"type\":\"String\"},\"MySQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"MySQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\"},\"type\":\"String\"},\"PostgreSQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"PostgreSQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"RedisMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Azure Cache for Redis to enforce\",\"displayName\":\"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSDeployEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\"displayName\":\"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\"},\"type\":\"String\"},\"SQLManagedInstanceMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure Managed Instanceto to enforce\",\"displayName\":\"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\"},\"type\":\"String\"},\"SQLManagedInstanceTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLManagedInstanceTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"SQL Managed Instance should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLServerTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"Azure SQL Database should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure SQL Database to enforce\",\"displayName\":\"Azure SQL Database.Select version minimum TLS for Azure SQL Database\"},\"type\":\"String\"},\"StorageDeployHttpsEnabledEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageHttpsEnabledEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageminimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"},\"WebAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"WebAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Web App. Latest TLS version should be used in your Web App\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceHttpEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "policy_group_names": null, + "reference_id": "AppServiceHttpEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceTlsVersionEffect')]\"},\"minTlsVersion\":{\"value\":\"[parameters('AppServiceminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "policy_group_names": null, + "reference_id": "AppServiceminTlsVersion" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", + "policy_group_names": null, + "reference_id": "APIAppServiceLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "policy_group_names": null, + "reference_id": "FunctionLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "policy_group_names": null, + "reference_id": "WebAppServiceLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "policy_group_names": null, + "reference_id": "APIAppServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "policy_group_names": null, + "reference_id": "FunctionServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "policy_group_names": null, + "reference_id": "WebAppServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSIngressHttpsOnlyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policy_group_names": null, + "reference_id": "AKSIngressHttpsOnlyEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "policy_group_names": null, + "reference_id": "MySQLEnableSSLDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "policy_group_names": null, + "reference_id": "MySQLEnableSSLEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "policy_group_names": null, + "reference_id": "PostgreSQLEnableSSLDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "policy_group_names": null, + "reference_id": "PostgreSQLEnableSSLEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "policy_group_names": null, + "reference_id": "RedisTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "policy_group_names": null, + "reference_id": "RedisdisableNonSslPort" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "policy_group_names": null, + "reference_id": "RedisDenyhttps" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "policy_group_names": null, + "reference_id": "SQLManagedInstanceTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "policy_group_names": null, + "reference_id": "SQLManagedInstanceTLSEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "policy_group_names": null, + "reference_id": "SQLServerTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "policy_group_names": null, + "reference_id": "SQLServerTLSEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "policy_group_names": null, + "reference_id": "StorageHttpsEnabledEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageDeployHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "policy_group_names": null, + "reference_id": "StorageDeployHttpsEnabledEffect" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "display_name": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", + "name": "Enforce-Encryption-CMK", + "parameters": "{\"ACRCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\"displayName\":\"Container registries should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"},\"AksCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\",\"displayName\":\"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\"},\"type\":\"String\"},\"AzureBatchCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\",\"displayName\":\"Azure Batch account should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"CognitiveServicesCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\"},\"type\":\"String\"},\"CosmosCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"DataBoxCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\",\"displayName\":\"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\"},\"type\":\"String\"},\"EncryptedVMDisksEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\",\"displayName\":\"Disk encryption should be applied on virtual machines\"},\"type\":\"String\"},\"HealthcareAPIsCMKEffect\":{\"allowedValues\":[\"audit\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\",\"displayName\":\"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\"},\"type\":\"String\"},\"MySQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure MySQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"PostgreSQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure PostgreSQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"SqlServerTDECMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\"displayName\":\"SQL servers should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"StorageCMKEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\"displayName\":\"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\"},\"type\":\"String\"},\"StreamAnalyticsCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\",\"displayName\":\"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"SynapseWorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\",\"displayName\":\"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"WorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\"displayName\":\"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRCmkEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "policy_group_names": null, + "reference_id": "ACRCmkDeny" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AksCmkEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "policy_group_names": null, + "reference_id": "AksCmkDeny" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WorkspaceCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "policy_group_names": null, + "reference_id": "WorkspaceCMK" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "policy_group_names": null, + "reference_id": "CognitiveServicesCMK" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "policy_group_names": null, + "reference_id": "CosmosCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataBoxCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "policy_group_names": null, + "reference_id": "DataBoxCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "policy_group_names": null, + "reference_id": "StreamAnalyticsCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SynapseWorkspaceCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "policy_group_names": null, + "reference_id": "SynapseWorkspaceCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "policy_group_names": null, + "reference_id": "StorageCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "policy_group_names": null, + "reference_id": "MySQLCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "policy_group_names": null, + "reference_id": "PostgreSQLCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerTDECMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policy_group_names": null, + "reference_id": "SqlServerTDECMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('HealthcareAPIsCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "policy_group_names": null, + "reference_id": "HealthcareAPIsCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AzureBatchCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "policy_group_names": null, + "reference_id": "AzureBatchCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EncryptedVMDisksEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "policy_group_names": null, + "reference_id": "EncryptedVMDisksEffect" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "2c342278-007c-54fe-9248-9b595e234ba9", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/21394dd9-69ec-512c-9de3-30b670daff24\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/21394dd9-69ec-512c-9de3-30b670daff24", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "21394dd9-69ec-512c-9de3-30b670daff24", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/6256b2eb-a3a1-5bda-bb68-dcead826f64c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/6256b2eb-a3a1-5bda-bb68-dcead826f64c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "6256b2eb-a3a1-5bda-bb68-dcead826f64c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/d15bcfa9-abc2-502b-89c1-315408118628\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/d15bcfa9-abc2-502b-89c1-315408118628", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "d15bcfa9-abc2-502b-89c1-315408118628", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/5d5a07ee-72ac-5583-bbab-4a0ed1bf76af\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/5d5a07ee-72ac-5583-bbab-4a0ed1bf76af", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "5d5a07ee-72ac-5583-bbab-4a0ed1bf76af", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/d269276a-415b-5f47-82a7-868c52f6fb01\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/d269276a-415b-5f47-82a7-868c52f6fb01", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "d269276a-415b-5f47-82a7-868c52f6fb01", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/e4697989-40f6-5b34-8620-1d525354522f\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/e4697989-40f6-5b34-8620-1d525354522f", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "e4697989-40f6-5b34-8620-1d525354522f", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "913f587c-77a4-5440-ba16-48de7d0080d2", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "cfaa2796-3156-5c78-94a2-7c017ffe32bb", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3621f075-0492-5ec9-a8ad-40d284e3e4d1", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7045a468-5463-57ef-85af-cd7f5397aa16", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "78b4dff1-81d0-5991-aec4-332fdce426cb", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "926ac02b-01f3-57dc-b7d0-b7a1056019f4", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "a3ca23ea-bd49-51a5-a288-c88857197d75", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/0a0d25df-fef2-54ff-901e-fc6477cebc55\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/0a0d25df-fef2-54ff-901e-fc6477cebc55", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "0a0d25df-fef2-54ff-901e-fc6477cebc55", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/3a8cf36e-00e1-5d48-b731-341ea13cf7d8\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/3a8cf36e-00e1-5d48-b731-341ea13cf7d8", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3a8cf36e-00e1-5d48-b731-341ea13cf7d8", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/5ce6aced-74a3-5723-aa63-eba8c6d90911\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/5ce6aced-74a3-5723-aa63-eba8c6d90911", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "5ce6aced-74a3-5723-aa63-eba8c6d90911", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/78569f4a-e104-5554-b21a-194423b56b0e\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/78569f4a-e104-5554-b21a-194423b56b0e", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "78569f4a-e104-5554-b21a-194423b56b0e", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/d3766627-b2af-5525-9be8-9d97a8759a39\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/d3766627-b2af-5525-9be8-9d97a8759a39", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "d3766627-b2af-5525-9be8-9d97a8759a39", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "130a22c1-674c-5a2a-b818-15ffc7d51207", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "19d1b7bb-0519-5651-91ab-25499f1709ad", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/1cfe15cf-6f9b-50ec-9633-06d5bc6524bd\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/1cfe15cf-6f9b-50ec-9633-06d5bc6524bd", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "1cfe15cf-6f9b-50ec-9633-06d5bc6524bd", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "281224b7-afc9-5e49-8553-8ca4d6c01a8a", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3c229c60-0645-5f79-82d7-19eb11ddf257\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3c229c60-0645-5f79-82d7-19eb11ddf257", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3c229c60-0645-5f79-82d7-19eb11ddf257", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3d13a056-fa9d-5f48-99ec-546f9eae65c7\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3d13a056-fa9d-5f48-99ec-546f9eae65c7", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3d13a056-fa9d-5f48-99ec-546f9eae65c7", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "4a679915-ced3-5c00-88d6-4f66597b95a4", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "4e722adf-bfdc-516b-9dde-5eff6fbd980e", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "5ff839a8-6bd0-5967-b385-4340bdeda854", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "6ebb856f-5448-5efc-9dc4-07e7065dc6ff", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/70f977db-fccf-5d76-bb11-5ad6feb44946\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/70f977db-fccf-5d76-bb11-5ad6feb44946", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "70f977db-fccf-5d76-bb11-5ad6feb44946", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7eaea779-6033-5588-93af-e5dd34f731ab", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7f9a44eb-87f1-5b90-bcff-fcf48b20b251", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "95eb7160-7dee-545e-8f03-79c8f032e209", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/97e99bb6-2763-5021-9eab-f1ffdac9b044\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/97e99bb6-2763-5021-9eab-f1ffdac9b044", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "97e99bb6-2763-5021-9eab-f1ffdac9b044", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/9f0d40ef-ca61-583f-a469-66e7a784d085\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/9f0d40ef-ca61-583f-a469-66e7a784d085", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "9f0d40ef-ca61-583f-a469-66e7a784d085", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "a77036d7-9519-59c5-8a42-5fc5ebe92c6c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/e6ebf244-85df-5894-9b3e-1860d63ddf5f\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/e6ebf244-85df-5894-9b3e-1860d63ddf5f", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "e6ebf244-85df-5894-9b3e-1860d63ddf5f", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]", + "mode": "managed", + "type": "azurerm_role_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 1, + "values": { + "assignable_scopes": [ + "/providers/Microsoft.Management/managementGroups/root-id-1" + ], + "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.", + "name": "[ROOT-ID-1] Network-Subnet-Contributor", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Network/*/read", + "Microsoft.Network/virtualNetworks/subnets/*" + ], + "data_actions": null, + "not_actions": [], + "not_data_actions": null + } + ], + "role_definition_id": "6a8ddaca-120a-579a-a375-1abe30d29f6d", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "assignable_scopes": [ + false + ], + "permissions": [ + { + "actions": [ + false, + false, + false, + false, + false, + false, + false, + false + ], + "not_actions": [] + } + ] + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_management_group", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_management_group", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "120s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", + "azurerm_management_group_level_2": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\",\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", + "azurerm_management_group_level_3": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-online\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-sap\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management\",\"/providers/Microsoft.Management/managementGroups/root-id-1-online\",\"/providers/Microsoft.Management/managementGroups/root-id-1-sap\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure\"]", + "azurerm_management_group_level_4": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-global\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us\"]", + "azurerm_management_group_level_5": "[]", + "azurerm_management_group_level_6": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_set_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_set_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_set_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_role_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_assignment_enterprise_scale": "[]", + "azurerm_policy_assignment_policy_assignment": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/21394dd9-69ec-512c-9de3-30b670daff24\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/6256b2eb-a3a1-5bda-bb68-dcead826f64c\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/d15bcfa9-abc2-502b-89c1-315408118628\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/5d5a07ee-72ac-5583-bbab-4a0ed1bf76af\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/d269276a-415b-5f47-82a7-868c52f6fb01\",\"/providers/Microsoft.Management/managementGroups/root-id-1-demo-corp/providers/Microsoft.Authorization/roleAssignments/e4697989-40f6-5b34-8620-1d525354522f\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/0a0d25df-fef2-54ff-901e-fc6477cebc55\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/3a8cf36e-00e1-5d48-b731-341ea13cf7d8\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/5ce6aced-74a3-5723-aa63-eba8c6d90911\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/78569f4a-e104-5554-b21a-194423b56b0e\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/d3766627-b2af-5525-9be8-9d97a8759a39\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/1cfe15cf-6f9b-50ec-9633-06d5bc6524bd\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3c229c60-0645-5f79-82d7-19eb11ddf257\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3d13a056-fa9d-5f48-99ec-546f9eae65c7\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/70f977db-fccf-5d76-bb11-5ad6feb44946\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/97e99bb6-2763-5021-9eab-f1ffdac9b044\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/9f0d40ef-ca61-583f-a469-66e7a784d085\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/e6ebf244-85df-5894-9b3e-1860d63ddf5f\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_role_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_role_definition_enterprise_scale": "[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + } + ], + "address": "module.test_core" + } + ] +} diff --git a/tests/modules/test_002_add_custom_core/providers.tf b/tests/modules/test_002_add_custom_core/providers.tf new file mode 100644 index 00000000..83314ab1 --- /dev/null +++ b/tests/modules/test_002_add_custom_core/providers.tf @@ -0,0 +1,13 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "connectivity" + features {} +} + +provider "azurerm" { + alias = "management" + features {} +} diff --git a/tests/modules/test_002_add_custom_core/settings.tf b/tests/modules/test_002_add_custom_core/settings.tf new file mode 100644 index 00000000..efce301f --- /dev/null +++ b/tests/modules/test_002_add_custom_core/settings.tf @@ -0,0 +1,7 @@ +# Obtain configuration settings. +module "settings" { + source = "../settings" + + root_id = var.root_id + primary_location = var.primary_location +} diff --git a/tests/modules/test_002_add_custom_core/terraform.tf b/tests/modules/test_002_add_custom_core/terraform.tf new file mode 100644 index 00000000..dbf21f3a --- /dev/null +++ b/tests/modules/test_002_add_custom_core/terraform.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "2.96.0" + configuration_aliases = [ + azurerm.connectivity, + azurerm.management, + ] + } + } + backend "local" { + path = "../tfstate/test_framework.tfstate" + } +} diff --git a/tests/modules/test_002_add_custom_core/variables.tf b/tests/modules/test_002_add_custom_core/variables.tf new file mode 100644 index 00000000..ba5e59a8 --- /dev/null +++ b/tests/modules/test_002_add_custom_core/variables.tf @@ -0,0 +1,31 @@ +variable "root_id" { + type = string + default = "12345" +} + +variable "root_name" { + type = string + default = "Test Framework" +} + +variable "primary_location" { + type = string + default = "northeurope" +} + +variable "secondary_location" { + type = string + default = "westeurope" +} + +variable "create_duration_delay" { + type = map(string) + default = { + azurerm_management_group = "120s" + } +} + +variable "destroy_duration_delay" { + type = map(string) + default = {} +} diff --git a/tests/modules/test_003_add_mgmt_conn/client_config.tf b/tests/modules/test_003_add_mgmt_conn/client_config.tf new file mode 100644 index 00000000..82c49b84 --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/client_config.tf @@ -0,0 +1,7 @@ +data "azurerm_client_config" "connectivity" { + provider = azurerm.connectivity +} + +data "azurerm_client_config" "management" { + provider = azurerm.management +} diff --git a/tests/modules/test_003_add_mgmt_conn/main.tf b/tests/modules/test_003_add_mgmt_conn/main.tf new file mode 100644 index 00000000..61f760a4 --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/main.tf @@ -0,0 +1,146 @@ +module "test_core" { + source = "../../../" + + providers = { + azurerm = azurerm.management + azurerm.connectivity = azurerm.connectivity + azurerm.management = azurerm.management + } + + # Base module configuration settings + root_parent_id = data.azurerm_client_config.management.tenant_id + root_id = var.root_id + root_name = var.root_name + default_location = var.primary_location + default_tags = module.settings.shared.default_tags + + # Tuning delay timers to improve pipeline completion success rate + create_duration_delay = var.create_duration_delay + destroy_duration_delay = var.destroy_duration_delay + + # Configuration settings for optional landing zones + deploy_corp_landing_zones = true + deploy_online_landing_zones = true + deploy_sap_landing_zones = true + deploy_demo_landing_zones = false + + # Configure path for custom library folder and + # custom template file variables + library_path = "${path.root}/../test_lib" + template_file_variables = module.settings.core.custom_template_file_variables + + # Configuration settings for core resources + deploy_core_landing_zones = true + custom_landing_zones = module.settings.core.custom_landing_zones + archetype_config_overrides = module.settings.core.archetype_config_overrides + subscription_id_overrides = module.settings.core.subscription_id_overrides + + # Configuration settings for management resources + deploy_management_resources = false + configure_management_resources = module.settings.management.configure_management_resources + subscription_id_management = data.azurerm_client_config.management.subscription_id + + # Configuration settings for connectivity resources + deploy_connectivity_resources = false + configure_connectivity_resources = module.settings.connectivity.configure_connectivity_resources + subscription_id_connectivity = data.azurerm_client_config.connectivity.subscription_id + +} + +module "test_core_nested" { + source = "../../../" + + providers = { + azurerm = azurerm.management + azurerm.connectivity = azurerm.connectivity + azurerm.management = azurerm.management + } + + # Base module configuration settings + root_parent_id = "${var.root_id}-landing-zones" + root_id = var.root_id + root_name = var.root_name + default_location = var.primary_location + default_tags = module.settings.shared.default_tags + + # Tuning delay timers to improve pipeline completion success rate + create_duration_delay = var.create_duration_delay + destroy_duration_delay = var.destroy_duration_delay + + # Configure path for custom library folder and + # custom template file variables + library_path = "${path.root}/../test_lib" + template_file_variables = module.settings.core.custom_template_file_variables + + # Configuration settings for core resources + deploy_core_landing_zones = false + custom_landing_zones = module.settings.nested.custom_landing_zones + + # Set dependency to ensure correct operation + depends_on = [ + module.test_core, + ] + +} + +module "test_management" { + source = "../../../" + + providers = { + azurerm = azurerm.management + azurerm.connectivity = azurerm.connectivity + azurerm.management = azurerm.management + } + + # Base module configuration settings + root_parent_id = data.azurerm_client_config.management.tenant_id + root_id = var.root_id + root_name = var.root_name + default_location = var.primary_location + default_tags = module.settings.shared.default_tags + + # Configure path for custom library folder and + # custom template file variables + library_path = "${path.root}/../test_lib" + template_file_variables = module.settings.core.custom_template_file_variables + + # Configuration settings for core resources + deploy_core_landing_zones = false + + # Configuration settings for management resources + deploy_management_resources = true + configure_management_resources = module.settings.management.configure_management_resources + subscription_id_management = data.azurerm_client_config.management.subscription_id + +} + +module "test_connectivity" { + source = "../../../" + + providers = { + azurerm = azurerm.management + azurerm.connectivity = azurerm.connectivity + azurerm.management = azurerm.management + } + + # Base module configuration settings + root_parent_id = data.azurerm_client_config.management.tenant_id + root_id = var.root_id + root_name = var.root_name + default_location = var.primary_location + default_tags = module.settings.shared.default_tags + + # Configure path for custom library folder and + # custom template file variables + library_path = "${path.root}/../test_lib" + template_file_variables = module.settings.core.custom_template_file_variables + + # Configuration settings for core resources + deploy_core_landing_zones = false + + # Configuration settings for connectivity resources + deploy_connectivity_resources = true + configure_connectivity_resources = module.settings.connectivity.configure_connectivity_resources + subscription_id_connectivity = data.azurerm_client_config.connectivity.subscription_id + +} diff --git a/tests/modules/test_003_add_mgmt_conn/outputs.tf b/tests/modules/test_003_add_mgmt_conn/outputs.tf new file mode 100644 index 00000000..cb19fd78 --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/outputs.tf @@ -0,0 +1,22 @@ +# The following output gives the a summary of all resources +# created by the enterprise_scale module, formatted to allow +# easy identification of the resource IDs as stored in the +# Terraform state. + +output "resource_ids" { + value = { + for module_name, module_output in { + test_core = module.test_core + test_core_nested = module.test_core_nested + test_management = module.test_management + test_connectivity = module.test_connectivity + } : + module_name => { + for resource_type, resource_instances in module_output : + resource_type => { + for resource_name, resource_configs in resource_instances : + resource_name => keys(resource_configs) + } + } + } +} diff --git a/tests/modules/test_003_add_mgmt_conn/planned_values.json b/tests/modules/test_003_add_mgmt_conn/planned_values.json new file mode 100644 index 00000000..886b19de --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/planned_values.json @@ -0,0 +1,8054 @@ +{ + "child_modules": [ + { + "resources": [ + { + "address": "module.test_connectivity.azurerm_express_route_gateway.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/expressRouteGateways/root-id-1-ergw-northeurope\"]", + "mode": "managed", + "type": "azurerm_express_route_gateway", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/expressRouteGateways/root-id-1-ergw-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "name": "root-id-1-ergw-northeurope", + "resource_group_name": "root-id-1-connectivity", + "scale_units": 1, + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_hub_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_firewall.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/azureFirewalls/root-id-1-fw-northeurope\"]", + "mode": "managed", + "type": "azurerm_firewall", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/azureFirewalls/root-id-1-fw-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "dns_servers": null, + "firewall_policy_id": null, + "ip_configuration": [ + { + "name": "root-id-1-fw-northeurope-pip", + "public_ip_address_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-fw-northeurope-pip", + "subnet_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/AzureFirewallSubnet" + } + ], + "location": "northeurope", + "management_ip_configuration": [], + "name": "root-id-1-fw-northeurope", + "private_ip_ranges": null, + "resource_group_name": "root-id-1-connectivity-northeurope", + "sku_name": "AZFW_VNet", + "sku_tier": "Standard", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "threat_intel_mode": "Alert", + "timeouts": null, + "virtual_hub": [], + "zones": [ + "1", + "2", + "3" + ] + }, + "sensitive_values": { + "ip_configuration": [ + {} + ], + "management_ip_configuration": [], + "tags": {}, + "virtual_hub": [], + "zones": [ + false, + false, + false + ] + } + }, + { + "address": "module.test_connectivity.azurerm_firewall.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/azureFirewalls/root-id-1-fw-hub-northeurope\"]", + "mode": "managed", + "type": "azurerm_firewall", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/azureFirewalls/root-id-1-fw-hub-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "dns_servers": null, + "firewall_policy_id": null, + "ip_configuration": [], + "location": "northeurope", + "management_ip_configuration": [], + "name": "root-id-1-fw-hub-northeurope", + "private_ip_ranges": null, + "resource_group_name": "root-id-1-connectivity", + "sku_name": "AZFW_Hub", + "sku_tier": "Standard", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "threat_intel_mode": "", + "timeouts": null, + "virtual_hub": [ + { + "public_ip_count": 1, + "virtual_hub_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-northeurope" + } + ], + "zones": null + }, + "sensitive_values": { + "ip_configuration": [], + "management_ip_configuration": [], + "tags": {}, + "virtual_hub": [ + { + "public_ip_addresses": [] + } + ] + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "northeurope.privatelink.siterecovery.windowsazure.com", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "privatelink.blob.core.windows.net", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "privatelink.file.core.windows.net", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.backup.windowsazure.com\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.backup.windowsazure.com", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "privatelink.northeurope.backup.windowsazure.com", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "privatelink.queue.core.windows.net", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "privatelink.table.core.windows.net", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "privatelink.web.core.windows.net", + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "soa_record": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "northeurope.privatelink.siterecovery.windowsazure.com", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/northeurope.privatelink.siterecovery.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "northeurope.privatelink.siterecovery.windowsazure.com", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "privatelink.blob.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "privatelink.blob.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "privatelink.file.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "privatelink.file.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.backup.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.backup.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "privatelink.northeurope.backup.windowsazure.com", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.backup.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.backup.windowsazure.com/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "privatelink.northeurope.backup.windowsazure.com", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "privatelink.queue.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "privatelink.queue.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "privatelink.table.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "privatelink.table.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-a0cc65a8-93d8-5026-b8ab-caf94af4bb45", + "private_dns_zone_name": "privatelink.web.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_private_dns_zone_virtual_network_link.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643\"]", + "mode": "managed", + "type": "azurerm_private_dns_zone_virtual_network_link", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.web.core.windows.net/virtualNetworkLinks/b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "name": "b2ce43c7-d4ec-4878-8df7-b513d90bedbe-de56a30a-ebbf-596b-adab-474ff5a2b643", + "private_dns_zone_name": "privatelink.web.core.windows.net", + "registration_enabled": false, + "resource_group_name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_network_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_public_ip.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-ergw-northeurope-pip\"]", + "mode": "managed", + "type": "azurerm_public_ip", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-ergw-northeurope-pip", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "allocation_method": "Static", + "availability_zone": "Zone-Redundant", + "domain_name_label": null, + "idle_timeout_in_minutes": 4, + "ip_tags": null, + "ip_version": "IPv4", + "location": "northeurope", + "name": "root-id-1-ergw-northeurope-pip", + "public_ip_prefix_id": null, + "resource_group_name": "root-id-1-connectivity-northeurope", + "reverse_fqdn": null, + "sku": "Standard", + "sku_tier": "Regional", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {}, + "zones": [] + } + }, + { + "address": "module.test_connectivity.azurerm_public_ip.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-fw-northeurope-pip\"]", + "mode": "managed", + "type": "azurerm_public_ip", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-fw-northeurope-pip", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "allocation_method": "Static", + "availability_zone": "Zone-Redundant", + "domain_name_label": null, + "idle_timeout_in_minutes": 4, + "ip_tags": null, + "ip_version": "IPv4", + "location": "northeurope", + "name": "root-id-1-fw-northeurope-pip", + "public_ip_prefix_id": null, + "resource_group_name": "root-id-1-connectivity-northeurope", + "reverse_fqdn": null, + "sku": "Standard", + "sku_tier": "Regional", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {}, + "zones": [] + } + }, + { + "address": "module.test_connectivity.azurerm_public_ip.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-vpngw-northeurope-pip\"]", + "mode": "managed", + "type": "azurerm_public_ip", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-vpngw-northeurope-pip", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "allocation_method": "Static", + "availability_zone": "Zone-Redundant", + "domain_name_label": null, + "idle_timeout_in_minutes": 4, + "ip_tags": null, + "ip_version": "IPv4", + "location": "northeurope", + "name": "root-id-1-vpngw-northeurope-pip", + "public_ip_prefix_id": null, + "resource_group_name": "root-id-1-connectivity-northeurope", + "reverse_fqdn": null, + "sku": "Standard", + "sku_tier": "Regional", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {}, + "zones": [] + } + }, + { + "address": "module.test_connectivity.azurerm_resource_group.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope\"]", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "name": "root-id-1-connectivity-northeurope", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_resource_group.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope\"]", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "westeurope", + "name": "root-id-1-connectivity-westeurope", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_resource_group.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns\"]", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "name": "root-id-1-dns", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_resource_group.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity\"]", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "name": "root-id-1-connectivity", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_subnet.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/AzureFirewallSubnet\"]", + "mode": "managed", + "type": "azurerm_subnet", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/AzureFirewallSubnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_prefixes": [ + "10.100.0.0/24" + ], + "delegation": [], + "enforce_private_link_endpoint_network_policies": false, + "enforce_private_link_service_network_policies": false, + "name": "AzureFirewallSubnet", + "resource_group_name": "root-id-1-connectivity-northeurope", + "service_endpoint_policy_ids": null, + "service_endpoints": null, + "timeouts": null, + "virtual_network_name": "root-id-1-hub-northeurope" + }, + "sensitive_values": { + "address_prefixes": [ + false + ], + "delegation": [] + } + }, + { + "address": "module.test_connectivity.azurerm_subnet.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/GatewaySubnet\"]", + "mode": "managed", + "type": "azurerm_subnet", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/GatewaySubnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_prefixes": [ + "10.100.1.0/24" + ], + "delegation": [], + "enforce_private_link_endpoint_network_policies": false, + "enforce_private_link_service_network_policies": false, + "name": "GatewaySubnet", + "resource_group_name": "root-id-1-connectivity-northeurope", + "service_endpoint_policy_ids": null, + "service_endpoints": null, + "timeouts": null, + "virtual_network_name": "root-id-1-hub-northeurope" + }, + "sensitive_values": { + "address_prefixes": [ + false + ], + "delegation": [] + } + }, + { + "address": "module.test_connectivity.azurerm_subnet.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/subnets/AzureFirewallSubnet\"]", + "mode": "managed", + "type": "azurerm_subnet", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/subnets/AzureFirewallSubnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_prefixes": [ + "10.101.0.0/24" + ], + "delegation": [], + "enforce_private_link_endpoint_network_policies": false, + "enforce_private_link_service_network_policies": false, + "name": "AzureFirewallSubnet", + "resource_group_name": "root-id-1-connectivity-westeurope", + "service_endpoint_policy_ids": null, + "service_endpoints": null, + "timeouts": null, + "virtual_network_name": "root-id-1-hub-westeurope" + }, + "sensitive_values": { + "address_prefixes": [ + false + ], + "delegation": [] + } + }, + { + "address": "module.test_connectivity.azurerm_subnet.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/subnets/GatewaySubnet\"]", + "mode": "managed", + "type": "azurerm_subnet", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope/subnets/GatewaySubnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_prefixes": [ + "10.101.1.0/24" + ], + "delegation": [], + "enforce_private_link_endpoint_network_policies": false, + "enforce_private_link_service_network_policies": false, + "name": "GatewaySubnet", + "resource_group_name": "root-id-1-connectivity-westeurope", + "service_endpoint_policy_ids": null, + "service_endpoints": null, + "timeouts": null, + "virtual_network_name": "root-id-1-hub-westeurope" + }, + "sensitive_values": { + "address_prefixes": [ + false + ], + "delegation": [] + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_hub.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-northeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_hub", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_prefix": "10.200.0.0/22", + "location": "northeurope", + "name": "root-id-1-hub-northeurope", + "resource_group_name": "root-id-1-connectivity", + "route": [], + "sku": "Standard", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_wan_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualWans/root-id-1-vwan-northeurope" + }, + "sensitive_values": { + "route": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_hub.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-westeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_hub", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-westeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_prefix": "10.201.0.0/22", + "location": "westeurope", + "name": "root-id-1-hub-westeurope", + "resource_group_name": "root-id-1-connectivity", + "route": [], + "sku": "Standard", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_wan_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualWans/root-id-1-vwan-northeurope" + }, + "sensitive_values": { + "route": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_network.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_network", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_space": [ + "10.100.0.0/22" + ], + "bgp_community": null, + "ddos_protection_plan": [], + "dns_servers": [], + "flow_timeout_in_minutes": null, + "location": "northeurope", + "name": "root-id-1-hub-northeurope", + "resource_group_name": "root-id-1-connectivity-northeurope", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "vm_protection_enabled": false + }, + "sensitive_values": { + "address_space": [ + false + ], + "ddos_protection_plan": [], + "dns_servers": [], + "subnet": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_network.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_network", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-westeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "address_space": [ + "10.101.0.0/22" + ], + "bgp_community": null, + "ddos_protection_plan": [], + "dns_servers": [], + "flow_timeout_in_minutes": null, + "location": "westeurope", + "name": "root-id-1-hub-westeurope", + "resource_group_name": "root-id-1-connectivity-westeurope", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "vm_protection_enabled": false + }, + "sensitive_values": { + "address_space": [ + false + ], + "ddos_protection_plan": [], + "dns_servers": [], + "subnet": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_network_gateway.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworkGateways/root-id-1-ergw-northeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_network_gateway", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworkGateways/root-id-1-ergw-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "active_active": false, + "custom_route": [], + "default_local_network_gateway_id": null, + "enable_bgp": true, + "ip_configuration": [ + { + "name": "root-id-1-ergw-northeurope-pip", + "private_ip_address_allocation": "Dynamic", + "public_ip_address_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-ergw-northeurope-pip", + "subnet_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/GatewaySubnet" + } + ], + "location": "northeurope", + "name": "root-id-1-ergw-northeurope", + "private_ip_address_enabled": null, + "resource_group_name": "root-id-1-connectivity-northeurope", + "sku": "ErGw1AZ", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "type": "ExpressRoute", + "vpn_client_configuration": [], + "vpn_type": "RouteBased" + }, + "sensitive_values": { + "bgp_settings": [], + "custom_route": [], + "ip_configuration": [ + {} + ], + "tags": {}, + "vpn_client_configuration": [] + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_network_gateway.connectivity[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworkGateways/root-id-1-vpngw-northeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_network_gateway", + "name": "connectivity", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworkGateways/root-id-1-vpngw-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "active_active": false, + "custom_route": [], + "default_local_network_gateway_id": null, + "enable_bgp": false, + "ip_configuration": [ + { + "name": "root-id-1-vpngw-northeurope-pip", + "private_ip_address_allocation": "Dynamic", + "public_ip_address_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/publicIPAddresses/root-id-1-vpngw-northeurope-pip", + "subnet_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/root-id-1-hub-northeurope/subnets/GatewaySubnet" + } + ], + "location": "northeurope", + "name": "root-id-1-vpngw-northeurope", + "private_ip_address_enabled": null, + "resource_group_name": "root-id-1-connectivity-northeurope", + "sku": "VpnGw1AZ", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "type": "Vpn", + "vpn_client_configuration": [], + "vpn_type": "RouteBased" + }, + "sensitive_values": { + "bgp_settings": [], + "custom_route": [], + "ip_configuration": [ + {} + ], + "tags": {}, + "vpn_client_configuration": [] + } + }, + { + "address": "module.test_connectivity.azurerm_virtual_wan.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualWans/root-id-1-vwan-northeurope\"]", + "mode": "managed", + "type": "azurerm_virtual_wan", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualWans/root-id-1-vwan-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "allow_branch_to_branch_traffic": true, + "allow_vnet_to_vnet_traffic": false, + "disable_vpn_encryption": false, + "location": "northeurope", + "name": "root-id-1-vwan-northeurope", + "office365_local_breakout_category": "None", + "resource_group_name": "root-id-1-connectivity", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "type": "Standard" + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_connectivity.azurerm_vpn_gateway.virtual_wan[\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/expressRouteGateways/root-id-1-vpngw-northeurope\"]", + "mode": "managed", + "type": "azurerm_vpn_gateway", + "name": "virtual_wan", + "index": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/expressRouteGateways/root-id-1-vpngw-northeurope", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "name": "root-id-1-vpngw-northeurope", + "resource_group_name": "root-id-1-connectivity", + "routing_preference": "Microsoft Network", + "scale_unit": 1, + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework" + }, + "timeouts": null, + "virtual_hub_id": "/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-connectivity/providers/Microsoft.Network/virtualHubs/root-id-1-hub-northeurope" + }, + "sensitive_values": { + "bgp_settings": [], + "tags": {} + } + }, + { + "address": "module.test_connectivity.time_sleep.after_azurerm_management_group", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_management_group", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_level_1": "[]", + "azurerm_management_group_level_2": "[]", + "azurerm_management_group_level_3": "[]", + "azurerm_management_group_level_4": "[]", + "azurerm_management_group_level_5": "[]", + "azurerm_management_group_level_6": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_connectivity.time_sleep.after_azurerm_policy_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_policy_assignment_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_connectivity.time_sleep.after_azurerm_policy_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_connectivity.time_sleep.after_azurerm_policy_set_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_set_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_set_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_connectivity.time_sleep.after_azurerm_role_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "0s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_assignment_enterprise_scale": "[]", + "azurerm_policy_assignment_policy_assignment": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_connectivity.time_sleep.after_azurerm_role_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "60s", + "destroy_duration": "0s", + "triggers": { + "azurerm_role_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + } + ], + "address": "module.test_connectivity" + }, + { + "resources": [ + { + "address": "module.test_core.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_1", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "root-name", + "name": "root-id-1", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/dac8feee-8768-4fbd-9cf9-9d96d4718018", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Decommissioned", + "name": "root-id-1-decommissioned", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Landing Zones", + "name": "root-id-1-landing-zones", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Platform", + "name": "root-id-1-platform", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_2[\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_2", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Sandboxes", + "name": "root-id-1-sandboxes", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Connectivity", + "name": "root-id-1-connectivity", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "subscription_ids": [ + "b2ce43c7-d4ec-4878-8df7-b513d90bedbe" + ], + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [ + false + ] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Corp", + "name": "root-id-1-corp", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Identity", + "name": "root-id-1-identity", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-management\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Management", + "name": "root-id-1-management", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-platform", + "subscription_ids": [ + "4d59de28-6dfe-4706-a4df-50ebe695a300" + ], + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [ + false + ] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-online\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Online", + "name": "root-id-1-online", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-sap\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-sap", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "SAP", + "name": "root-id-1-sap", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_3[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_3", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Secure Workloads (HITRUST/HIPAA)", + "name": "root-id-1-secure", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_4", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "EMEA Web Applications", + "name": "root-id-1-web-emea", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-global\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_4", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-global", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Global Web Applications", + "name": "root-id-1-web-global", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group.level_4[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_4", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "US Web Applications", + "name": "root-id-1-web-us", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-online", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "name": "Enable-DDoS-VNET", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-northeurope\"},\"effect\":{\"value\":\"Modify\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "display_name": "Public network access should be disabled for PaaS services", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "name": "Deny-Public-Endpoints", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "display_name": "Configure Azure PaaS services to use private DNS zones", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "name": "Deploy-Private-DNS-Zones", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io\"},\"azureAppPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io\"},\"azureAppServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net\"},\"azureAsrPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.siterecovery.windowsazure.com\"},\"azureBatchPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.northeurope.batch.azure.com\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.cognitiveservices.azure.com\"},\"azureDiskAccessPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.eventgrid.azure.net\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureFilePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.afs.azure.net\"},\"azureIoTPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices-provisioning.net\"},\"azureIotHubsPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azure-devices.net\"},\"azureKeyVaultPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms\"},\"azureRedisCachePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.redis.cache.windows.net\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net\"},\"azureSignalRPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.service.signalr.net\"},\"azureWebPrivateDnsZoneId\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-dns/providers/Microsoft.Network/privateDnsZones/privatelink.webpubsub.azure.com\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "display_name": "Deny the creation of public IP", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-Public-IP", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "display_name": "RDP access from the Internet should be blocked", + "enforce": false, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-RDP-From-Internet", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "display_name": "Subnets should have a Network Security Group", + "enforce": false, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deny-Subnet-Without-Nsg", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"Deny\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "name": "Deploy-VM-Backup", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deployIfNotExists\"},\"exclusionTagName\":{\"value\":\"\"},\"exclusionTagValue\":{\"value\":[]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "display_name": "Network interfaces should disable IP forwarding", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-IP-Forwarding", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes cluster should not allow privileged containers", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Priv-Containers-AKS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes clusters should not allow container privilege escalation", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Priv-Escalation-AKS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "display_name": "RDP access from the Internet should be blocked", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-RDP-From-Internet", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "display_name": "Secure transfer to storage accounts should be enabled", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Storage-http", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "display_name": "Subnets should have a Network Security Group", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deny-Subnet-Without-Nsg", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "display_name": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-AKS-Policy", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "display_name": "Auditing on SQL server should be enabled", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-SQL-DB-Auditing", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "display_name": "Deploy Threat Detection on SQL servers", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-SQL-Threat", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "display_name": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Deploy-VM-Backup", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "display_name": "Virtual networks should be protected by Azure DDoS Protection Standard", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enable-DDoS-VNET", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ddosPlan\":{\"value\":\"/subscriptions/b2ce43c7-d4ec-4878-8df7-b513d90bedbe/resourceGroups/root-id-1-ddos/providers/Microsoft.Network/ddosProtectionPlans/root-id-1-ddos-northeurope\"},\"effect\":{\"value\":\"Modify\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "display_name": "Kubernetes clusters should be accessible only over HTTPS", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enforce-AKS-HTTPS", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"effect\":{\"value\":\"deny\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "name": "Enforce-TLS-SSL", + "non_compliance_message": [], + "not_scopes": [], + "parameters": null, + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy-Log-Analytics.", + "display_name": "Deploy-Log-Analytics", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "name": "Deploy-Log-Analytics", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"automationAccountName\":{\"value\":\"root-id-1-automation\"},\"automationRegion\":{\"value\":\"northeurope\"},\"dataRetention\":{\"value\":\"60\"},\"effect\":{\"value\":\"DeployIfNotExists\"},\"rgName\":{\"value\":\"root-id-1-mgmt\"},\"sku\":{\"value\":\"pergb2018\"},\"workspaceName\":{\"value\":\"root-id-1-la\"},\"workspaceRegion\":{\"value\":\"northeurope\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This assignment includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.", + "display_name": "Assign policies for HITRUST and HIPAA controls", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "name": "Deploy-HITRUST-HIPAA", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"CertificateThumbprints\":{\"value\":\"\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsrgName\":{\"value\":\"root-id-1-rg\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix\":{\"value\":\"root-id-1\"},\"installedApplicationsOnWindowsVM\":{\"value\":\"\"},\"listOfLocations\":{\"value\":[\"eastus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northeurope\",\"westeurope\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-emea", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northeurope\",\"westeurope\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-web-us", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"westus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\",\"northeurope\",\"westeurope\",\"uksouth\",\"ukwest\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\",\"northeurope\",\"westeurope\",\"uksouth\",\"ukwest\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Monitoring in Azure Security Center.", + "display_name": "Enable Monitoring in Azure Security Center", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-ASC-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"aadAuthenticationInSqlServerMonitoringEffect\":{\"value\":\"Disabled\"},\"diskEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"encryptionOfAutomationAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateLessThanOwnersMonitoringEffect\":{\"value\":\"Disabled\"},\"identityDesignateMoreThanOneOwnerMonitoringEffect\":{\"value\":\"Disabled\"},\"identityEnableMFAForWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect\":{\"value\":\"Disabled\"},\"jitNetworkAccessMonitoringEffect\":{\"value\":\"Disabled\"},\"networkSecurityGroupsOnSubnetsMonitoringEffect\":{\"value\":\"AuditIfNotExists\"},\"sqlDbEncryptionMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect\":{\"value\":\"Disabled\"},\"sqlServerAdvancedDataSecurityMonitoringEffect\":{\"value\":\"Disabled\"},\"systemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"useRbacRulesMonitoringEffect\":{\"value\":\"Disabled\"},\"vmssSystemUpdatesMonitoringEffect\":{\"value\":\"Disabled\"},\"windowsDefenderExploitGuardMonitoringEffect\":{\"value\":\"Disabled\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", + "display_name": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-AzActivity-Log", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This assignment includes audit and virtual machine extension deployment policies that address a subset of HITRUST/HIPAA controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/hipaa-blueprint.", + "display_name": "Assign policies for HITRUST and HIPAA controls", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-HITRUST-HIPAA", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"CertificateThumbprints\":{\"value\":\"\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsrgName\":{\"value\":\"root-id-1-rg\"},\"DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix\":{\"value\":\"root-id-1\"},\"installedApplicationsOnWindowsVM\":{\"value\":\"\"},\"listOfLocations\":{\"value\":[\"eastus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy-Linux-Arc-Monitoring.", + "display_name": "Deploy-Linux-Arc-Monitoring", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-LX-Arc-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Microsoft Defender for Cloud and Security Contacts", + "display_name": "Deploy Microsoft Defender for Cloud configuration", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-MDFC-Config", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"ascExportResourceGroupLocation\":{\"value\":\"northeurope\"},\"ascExportResourceGroupName\":{\"value\":\"root-id-1-asc-export\"},\"emailSecurityContact\":{\"value\":\"test.user@replace_me\"},\"enableAscForAppServices\":{\"value\":\"DeployIfNotExists\"},\"enableAscForArm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForContainers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForDns\":{\"value\":\"DeployIfNotExists\"},\"enableAscForKeyVault\":{\"value\":\"DeployIfNotExists\"},\"enableAscForOssDb\":{\"value\":\"DeployIfNotExists\"},\"enableAscForServers\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSql\":{\"value\":\"DeployIfNotExists\"},\"enableAscForSqlOnVm\":{\"value\":\"DeployIfNotExists\"},\"enableAscForStorage\":{\"value\":\"DeployIfNotExists\"},\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "display_name": "Deploy-Resource-Diag", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-Resource-Diag", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Auditing on SQL servers.", + "display_name": "Deploy Auditing on SQL servers", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-SQL-Auditing", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"retentionDays\":{\"value\":\"10\"},\"storageAccountsResourceGroup\":{\"value\":\"\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "display_name": "Enable Azure Monitor for VMs", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-VM-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "display_name": "Enable Azure Monitor for Virtual Machine Scale Sets", + "enforce": true, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-VMSS-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics_1\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "display_name": "Deploy-Windows-Arc-Monitoring", + "enforce": false, + "identity": [ + { + "type": "SystemAssigned" + } + ], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1", + "name": "Deploy-WS-Arc-Monitoring", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"logAnalytics\":{\"value\":\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "timeouts": null + }, + "sensitive_values": { + "identity": [ + {} + ], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "display_name": "AppService append enable https only setting to enforce https setting.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Append-AppService-httpsonly", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"notequals\":true}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"value\":true}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "display_name": "AppService append sites with minimum TLS version to enforce.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Append-AppService-latestTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"Select version minimum TLS Web App config\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites/config\",\"field\":\"type\"},{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"notEquals\":\"[parameters('minTlsVersion')]\"}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"value\":\"[parameters('minTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "display_name": "KeyVault SoftDelete should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Key Vault\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-KV-SoftDelete", + "parameters": null, + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.KeyVault/vaults\",\"field\":\"type\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"notEquals\":true}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"value\":true}],\"effect\":\"append\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-Redis-disableNonSslPort", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\",\"Modify\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"value\":false}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Append-Redis-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\",\"displayName\":\"Effect Azure Cache for Redis\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Cache for Redis to enforce\",\"displayName\":\"Select version for Redis server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":[{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"value\":\"[parameters('minimumTlsVersion')]\"}],\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "display_name": "Control private endpoint connections to Azure Machine Learning", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Audit-MachineLearning-PrivateEndpointId", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\",\"field\":\"type\"},{\"equals\":\"Approved\",\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\"},{\"notEquals\":\"[subscription().subscriptionId]\",\"value\":\"[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of child resources on the Automation Account", + "display_name": "No child resources in Automation Account", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Automation\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AA-child-resources", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Automation/automationAccounts/runbooks\",\"Microsoft.Automation/automationAccounts/variables\",\"Microsoft.Automation/automationAccounts/modules\",\"Microsoft.Automation/automationAccounts/credentials\",\"Microsoft.Automation/automationAccounts/connections\",\"Microsoft.Automation/automationAccounts/certificates\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "display_name": "Application Gateway should be deployed with WAF enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppGW-Without-WAF", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/applicationGateways/sku.name\",\"notequals\":\"WAF_v2\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "API App should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceApiApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "Function App should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceFunctionApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "display_name": "Web Application should only be accessible over HTTPS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"App Service\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-AppServiceWebApp-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"equals\":\"false\",\"field\":\"Microsoft.Web/sites/httpsOnly\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "display_name": "Deny public IPs for Databricks cluster", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-NoPublicIp", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\"notEquals\":true}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "display_name": "Deny non-premium Databricks sku", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-Sku", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.DataBricks/workspaces/sku.name\",\"notEquals\":\"premium\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "display_name": "Deny Databricks workspaces without Vnet injection", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Databricks\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Databricks-VirtualNetwork", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\"},{\"exists\":false,\"field\":\"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "display_name": "Deny AKS cluster creation in Azure Machine Learning", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Aks", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AKS\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/resourceId\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "display_name": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Compute-SubnetId", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\"},{\"equals\":true,\"value\":\"[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "display_name": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-Compute-VmSize", + "parameters": "{\"allowedVmSizes\":{\"defaultValue\":[\"Standard_D1_v2\",\"Standard_D2_v2\",\"Standard_D3_v2\",\"Standard_D4_v2\",\"Standard_D11_v2\",\"Standard_D12_v2\",\"Standard_D13_v2\",\"Standard_D14_v2\",\"Standard_DS1_v2\",\"Standard_DS2_v2\",\"Standard_DS3_v2\",\"Standard_DS4_v2\",\"Standard_DS5_v2\",\"Standard_DS11_v2\",\"Standard_DS12_v2\",\"Standard_DS13_v2\",\"Standard_DS14_v2\",\"Standard_M8-2ms\",\"Standard_M8-4ms\",\"Standard_M8ms\",\"Standard_M16-4ms\",\"Standard_M16-8ms\",\"Standard_M16ms\",\"Standard_M32-8ms\",\"Standard_M32-16ms\",\"Standard_M32ls\",\"Standard_M32ms\",\"Standard_M32ts\",\"Standard_M64-16ms\",\"Standard_M64-32ms\",\"Standard_M64ls\",\"Standard_M64ms\",\"Standard_M64s\",\"Standard_M128-32ms\",\"Standard_M128-64ms\",\"Standard_M128ms\",\"Standard_M128s\",\"Standard_M64\",\"Standard_M64m\",\"Standard_M128\",\"Standard_M128m\",\"Standard_D1\",\"Standard_D2\",\"Standard_D3\",\"Standard_D4\",\"Standard_D11\",\"Standard_D12\",\"Standard_D13\",\"Standard_D14\",\"Standard_DS15_v2\",\"Standard_NV6\",\"Standard_NV12\",\"Standard_NV24\",\"Standard_F2s_v2\",\"Standard_F4s_v2\",\"Standard_F8s_v2\",\"Standard_F16s_v2\",\"Standard_F32s_v2\",\"Standard_F64s_v2\",\"Standard_F72s_v2\",\"Standard_NC6s_v3\",\"Standard_NC12s_v3\",\"Standard_NC24rs_v3\",\"Standard_NC24s_v3\",\"Standard_NC6\",\"Standard_NC12\",\"Standard_NC24\",\"Standard_NC24r\",\"Standard_ND6s\",\"Standard_ND12s\",\"Standard_ND24rs\",\"Standard_ND24s\",\"Standard_NC6s_v2\",\"Standard_NC12s_v2\",\"Standard_NC24rs_v2\",\"Standard_NC24s_v2\",\"Standard_ND40rs_v2\",\"Standard_NV12s_v3\",\"Standard_NV24s_v3\",\"Standard_NV48s_v3\"],\"metadata\":{\"description\":\"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\",\"displayName\":\"Allowed VM Sizes for Aml Compute Clusters and Instances\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\"in\":[\"AmlCompute\",\"ComputeInstance\"]},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\"notIn\":\"[parameters('allowedVmSizes')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "display_name": "Deny public access of Azure Machine Learning clusters via SSH", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\"notEquals\":\"Disabled\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "display_name": "Enforce scale settings for Azure Machine Learning compute clusters", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"maxNodeCount\":{\"defaultValue\":10,\"metadata\":{\"description\":\"Specifies the maximum node count of AML Clusters\",\"displayName\":\"Maximum Node Count\"},\"type\":\"Integer\"},\"maxNodeIdleTimeInSecondsBeforeScaleDown\":{\"defaultValue\":900,\"metadata\":{\"description\":\"Specifies the maximum node idle time in seconds before scaledown\",\"displayName\":\"Maximum Node Idle Time in Seconds Before Scaledown\"},\"type\":\"Integer\"},\"minNodeCount\":{\"defaultValue\":0,\"metadata\":{\"description\":\"Specifies the minimum node count of AML Clusters\",\"displayName\":\"Minimum Node Count\"},\"type\":\"Integer\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces/computes\",\"field\":\"type\"},{\"equals\":\"AmlCompute\",\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/computeType\"},{\"anyOf\":[{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\"greater\":\"[parameters('maxNodeCount')]\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\"greater\":\"[parameters('minNodeCount')]\"},{\"greater\":\"[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\",\"value\":\"[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "display_name": "Enforces high business impact Azure Machine Learning Workspaces", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-HbiWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\"notEquals\":true}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "display_name": "Deny public acces behind vnet to Azure Machine Learning workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":false,\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\"notEquals\":false}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Denies public network access for Azure Machine Learning workspaces.", + "display_name": "Azure Machine Learning should have disabled public network access", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Machine Learning\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MachineLearning-PublicNetworkAccess", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},{\"field\":\"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\"notEquals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "MySQL database servers enforce SSL connections.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-MySql-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "PostgreSQL database servers enforce SSL connection.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.1\"}", + "mode": "Indexed", + "name": "Deny-PostgreSql-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "display_name": "Deny the creation of private DNS", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Private-DNS-Zones", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/privateDnsZones\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "display_name": "Public network access should be disabled for MariaDB", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-PublicEndpoint-MariaDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\"notequals\":\"Disabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "display_name": "Deny the creation of public IP", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-PublicIP", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/publicIPAddresses\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies any network security rule that allows RDP access from Internet", + "display_name": "RDP access from the Internet should be blocked", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deny-RDP-From-Internet", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\",\"field\":\"type\"},{\"allOf\":[{\"equals\":\"Allow\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\"},{\"equals\":\"Inbound\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\"},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"3389\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\"},{\"equals\":\"true\",\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"equals\":\"true\",\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"equals\":\"*\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"equals\":\"Internet\",\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "display_name": "Azure Cache for Redis only secure connections should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Cache\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Redis-http", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select minimum TLS version for Azure Cache for Redis.\",\"displayName\":\"Select minumum TLS version for Azure Cache for Redis.\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},{\"anyOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\"},{\"field\":\"Microsoft.Cache/Redis/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "display_name": "Azure SQL Database should have the minimal TLS version set to the highest version", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Sql-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "display_name": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-SqlMi-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"anyOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "display_name": "Storage Account set to minumum TLS and Secure transfer should be enabled", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deny-Storage-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"The effect determines what happens when the policy rule is evaluated to match\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"allOf\":[{\"less\":\"2019-04-01\",\"value\":\"[requestContext().apiVersion]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notequals\":\"[parameters('minimumTlsVersion')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "display_name": "Subnets should have a Network Security Group", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", + "mode": "All", + "name": "Deny-Subnet-Without-Nsg", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"GatewaySubnet\",\"AzureFirewallSubnet\",\"AzureFirewallManagementSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "display_name": "Subnets should have a User Defined Route", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"2.0.0\"}", + "mode": "All", + "name": "Deny-Subnet-Without-Udr", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"excludedSubnets\":{\"defaultValue\":[\"AzureBastionSubnet\"],\"metadata\":{\"description\":\"Array of subnet names that are excluded from this policy\",\"displayName\":\"Excluded Subnets\"},\"type\":\"Array\"}}", + "policy_rule": "{\"if\":{\"anyOf\":[{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"count\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*]\",\"where\":{\"allOf\":[{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets[*].name\",\"notIn\":\"[parameters('excludedSubnets')]\"}]}},\"notEquals\":0}]},{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/subnets\",\"field\":\"type\"},{\"field\":\"name\",\"notIn\":\"[parameters('excludedSubnets')]\"},{\"exists\":\"false\",\"field\":\"Microsoft.Network/virtualNetworks/subnets/routeTable.id\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "display_name": "Deny vNet peering cross subscription.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", + "mode": "All", + "name": "Deny-VNET-Peer-Cross-Sub", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},{\"field\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\"notcontains\":\"[subscription().id]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "display_name": "Deny vNet peering ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.1\"}", + "mode": "All", + "name": "Deny-VNet-Peering", + "parameters": "{\"effect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\"field\":\"type\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Azure Security Center Security Contacts", + "display_name": "Deploy Azure Security Center Security Contacts", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Security Center\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-ASC-SecurityContacts", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Azure Security Center contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"emailSecurityContact\":{\"metadata\":{\"description\":\"Security contacts email address\"},\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2020-01-01-preview\",\"name\":\"default\",\"properties\":{\"alertNotifications\":{\"minimalSeverity\":\"High\",\"state\":\"On\"},\"emails\":\"[parameters('emailSecurityContact')]\",\"notificationsByRole\":{\"roles\":[\"Owner\"],\"state\":\"On\"}},\"type\":\"Microsoft.Security/securityContacts\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"contains\":\"[parameters('emailSecurityContact')]\",\"field\":\"Microsoft.Security/securityContacts/email\"},{\"equals\":\"Microsoft.Security/securityContacts\",\"field\":\"type\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertNotifications\"},{\"equals\":\"On\",\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"type\":\"Microsoft.Security/securityContacts\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "display_name": "Deploy a default budget on all subscriptions under the assigned scope", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Budget\",\"version\":\"1.1.0\"}", + "mode": "All", + "name": "Deploy-Budget", + "parameters": "{\"amount\":{\"defaultValue\":\"1000\",\"metadata\":{\"description\":\"The total amount of cost or usage to track with the budget\"},\"type\":\"String\"},\"budgetName\":{\"defaultValue\":\"budget-set-by-policy\",\"metadata\":{\"description\":\"The name for the budget to be created\"},\"type\":\"String\"},\"contactEmails\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"contactGroups\":{\"defaultValue\":[],\"metadata\":{\"description\":\"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"},\"type\":\"Array\"},\"contactRoles\":{\"defaultValue\":[\"Owner\",\"Contributor\"],\"metadata\":{\"description\":\"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"},\"type\":\"Array\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\"},\"type\":\"String\"},\"firstThreshold\":{\"defaultValue\":\"90\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"secondThreshold\":{\"defaultValue\":\"100\",\"metadata\":{\"description\":\"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"},\"type\":\"String\"},\"timeGrain\":{\"allowedValues\":[\"Monthly\",\"Quarterly\",\"Annually\",\"BillingMonth\",\"BillingQuarter\",\"BillingAnnual\"],\"defaultValue\":\"Monthly\",\"metadata\":{\"description\":\"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"amount\":{\"value\":\"[parameters('amount')]\"},\"budgetName\":{\"value\":\"[parameters('budgetName')]\"},\"contactEmails\":{\"value\":\"[parameters('contactEmails')]\"},\"contactGroups\":{\"value\":\"[parameters('contactGroups')]\"},\"contactRoles\":{\"value\":\"[parameters('contactRoles')]\"},\"firstThreshold\":{\"value\":\"[parameters('firstThreshold')]\"},\"secondThreshold\":{\"value\":\"[parameters('secondThreshold')]\"},\"timeGrain\":{\"value\":\"[parameters('timeGrain')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"amount\":{\"type\":\"String\"},\"budgetName\":{\"type\":\"String\"},\"contactEmails\":{\"type\":\"Array\"},\"contactGroups\":{\"type\":\"Array\"},\"contactRoles\":{\"type\":\"Array\"},\"firstThreshold\":{\"type\":\"String\"},\"secondThreshold\":{\"type\":\"String\"},\"startDate\":{\"defaultValue\":\"[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\",\"type\":\"String\"},\"timeGrain\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[parameters('budgetName')]\",\"properties\":{\"amount\":\"[parameters('amount')]\",\"category\":\"Cost\",\"notifications\":{\"NotificationForExceededBudget1\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('firstThreshold')]\"},\"NotificationForExceededBudget2\":{\"contactEmails\":\"[parameters('contactEmails')]\",\"contactGroups\":\"[parameters('contactGroups')]\",\"contactRoles\":\"[parameters('contactRoles')]\",\"enabled\":true,\"operator\":\"GreaterThan\",\"threshold\":\"[parameters('secondThreshold')]\"}},\"timeGrain\":\"[parameters('timeGrain')]\",\"timePeriod\":{\"startDate\":\"[parameters('startDate')]\"}},\"type\":\"Microsoft.Consumption/budgets\"}]}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('amount')]\",\"field\":\"Microsoft.Consumption/budgets/amount\"},{\"equals\":\"[parameters('timeGrain')]\",\"field\":\"Microsoft.Consumption/budgets/timeGrain\"},{\"equals\":\"Cost\",\"field\":\"Microsoft.Consumption/budgets/category\"}]},\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Consumption/budgets\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "display_name": "Deploy a route table with specific user defined routes", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Custom-Route-Table", + "parameters": "{\"disableBgpPropagation\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Disable BGP Propagation\",\"displayName\":\"DisableBgpPropagation\"},\"type\":\"Boolean\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"requiredRoutes\":{\"metadata\":{\"description\":\"Routes that must exist in compliant route tables deployed by this policy\",\"displayName\":\"requiredRoutes\"},\"type\":\"Array\"},\"routeTableName\":{\"metadata\":{\"description\":\"Name of the route table automatically deployed by this policy\",\"displayName\":\"routeTableName\"},\"type\":\"String\"},\"vnetRegion\":{\"metadata\":{\"description\":\"Only VNets in this region will be evaluated against this policy\",\"displayName\":\"vnetRegion\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},{\"equals\":\"[parameters('vnetRegion')]\",\"field\":\"location\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"name\":\"routeTableDepl\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"disableBgpPropagation\":{\"value\":\"[parameters('disableBgpPropagation')]\"},\"requiredRoutes\":{\"value\":\"[parameters('requiredRoutes')]\"},\"routeTableName\":{\"value\":\"[parameters('routeTableName')]\"},\"vnetRegion\":{\"value\":\"[parameters('vnetRegion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"disableBgpPropagation\":{\"type\":\"bool\"},\"requiredRoutes\":{\"type\":\"array\"},\"routeTableName\":{\"type\":\"string\"},\"vnetRegion\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"location\":\"[[parameters('vnetRegion')]\",\"name\":\"[[parameters('routeTableName')]\",\"properties\":{\"copy\":\"[variables('copyLoop')]\",\"disableBgpRoutePropagation\":\"[[parameters('disableBgpPropagation')]\"},\"type\":\"Microsoft.Network/routeTables\"}]}},\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"copyLoop\":[{\"count\":\"[[length(parameters('requiredRoutes'))]\",\"input\":{\"name\":\"[[concat('route-',copyIndex('routes'))]\",\"properties\":{\"addressPrefix\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\"nextHopIpAddress\":\"[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\",\"nextHopType\":\"[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\"}},\"name\":\"routes\"}]}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('routeTableName')]\",\"field\":\"name\"},{\"count\":{\"field\":\"Microsoft.Network/routeTables/routes[*]\",\"where\":{\"in\":\"[parameters('requiredRoutes')]\",\"value\":\"[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\"}},\"equals\":\"[length(parameters('requiredRoutes'))]\"}]},\"roleDefinitionIds\":[\"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/routeTables\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys an Azure DDoS Protection Standard plan", + "display_name": "Deploy an Azure DDoS Protection Standard plan", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-DDoSProtection", + "parameters": "{\"ddosName\":{\"metadata\":{\"description\":\"DDoSVnet\",\"displayName\":\"ddosName\"},\"type\":\"String\"},\"ddosRegion\":{\"metadata\":{\"description\":\"DDoSVnet location\",\"displayName\":\"ddosRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"ddosname\":{\"value\":\"[parameters('ddosname')]\"},\"ddosregion\":{\"value\":\"[parameters('ddosRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"ddosRegion\":{\"type\":\"String\"},\"ddosname\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"ddosprotection\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-12-01\",\"location\":\"[parameters('ddosRegion')]\",\"name\":\"[parameters('ddosName')]\",\"properties\":{},\"type\":\"Microsoft.Network/ddosProtectionPlans\"}]}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('ddosName')]\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"type\":\"Microsoft.Network/ddosProtectionPlans\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-AA", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Automation/automationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"JobLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobStreams\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DscNodeStatus\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "display_name": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ACI", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerInstance/containerGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "display_name": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ACR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ContainerRegistry/registries\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ContainerRegistryLoginEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ContainerRegistryRepositoryEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-APIMgmt", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.ApiManagement/service\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.ApiManagement/service/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-AnalysisService", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.AnalysisServices/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Service\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ApiForFHIR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HealthcareApis/services\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HealthcareApis/services/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ApplicationGateway", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/applicationGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ApplicationGatewayAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayPerformanceLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ApplicationGatewayFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/applicationGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CDNEndpoints", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cdn/profiles/endpoints\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"CoreAnalytics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CognitiveServices", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.CognitiveServices/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RequestResponse\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Trace\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-CosmosDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DocumentDB/databaseAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DataPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MongoRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PartitionKeyRUConsumption\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ControlPlaneRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CassandraRequests\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"GremlinRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Requests\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DLAnalytics", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataLakeAnalytics/accounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DataExplorerCluster", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Kusto/Clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"SucceededIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FailedIngestion\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IngestionBatching\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Command\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Query\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableUsageStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TableDetails\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Kusto/Clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-DataFactory", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DataFactory/factories\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ActivityRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PipelineRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TriggerRuns\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessages\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutableStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageEventMessageContext\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionComponentPhases\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISPackageExecutionDataStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SSISIntegrationRuntimeLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DataFactory/factories/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Databricks", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Databricks/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"dbfs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"clusters\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"accounts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"jobs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"notebook\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"ssh\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"workspace\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"secrets\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"sqlPermissions\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"instancePools\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Databricks/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridSub", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/eventSubscriptions\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/systemTopics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-EventGridTopic", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.EventGrid/topics\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"DeliveryFailures\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"PublishFailures\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.EventGrid/topics/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-ExpressRoute", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/expressRouteCircuits\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PeeringRouteLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Firewall", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/azureFirewalls\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AzureFirewallApplicationRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallNetworkRule\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AzureFirewallDnsProxy\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-FrontDoor", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/frontDoors\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FrontdoorAccessLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FrontdoorWebApplicationFirewallLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/frontDoors/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Function", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"contains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"FunctionAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-HDInsight", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.HDInsight/clusters\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.HDInsight/clusters/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-LoadBalancer", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/loadBalancers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"LoadBalancerAlertEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"LoadBalancerProbeHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/loadBalancers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-LogicAppsISE", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Logic/integrationAccounts\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"IntegrationAccountTrackingEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MariaDB", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMariaDB/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MediaService", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Media/mediaServices\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"KeyDeliveryRequests\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Media/mediaServices/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MlWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.MachineLearningServices/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AmlComputeClusterEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeClusterNodeEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeJobEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlComputeCpuGpuUtilization\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AmlRunStatusChangedEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"Run\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Model\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":true}},{\"category\":\"Quota\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null},{\"category\":\"Resource\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-MySQL", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"MySqlSlowLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"MySqlAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-NIC", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkInterfaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-PostgreSQL", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"PostgreSQLLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.PowerBIDedicated/capacities\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Engine\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-RedisCache", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Cache/redis\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Cache/redis/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Relay", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Relay/namespaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"HybridConnectionsEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Relay/namespaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SQLElasticPools", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/elasticPools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('fullName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SQLMI", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ResourceUsageStats\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DevOpsOperationsAudit\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Sql/managedInstances/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-SignalR", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.SignalRService/SignalR\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AllLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.TimeSeriesInsights/environments\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Ingress\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-TrafficManager", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/trafficManagerProfiles\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"ProbeHealthStatusEvents\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VM", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VMSS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "display_name": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VNetGW", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworkGateways\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"GatewayDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"IKEDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"P2SDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"RouteDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TunnelDiagnosticLog\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-VirtualNetwork", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/virtualNetworks\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"VMProtectionAlerts\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false}}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDAppGroup", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/applicationGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDHostPools", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/hostpools\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Connection\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"HostRegistration\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AgentHealthStatus\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "display_name": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WVDWorkspace", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.DesktopVirtualization/workspaces\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Checkpoint\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Error\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Management\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Feed\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-WebServerFarm", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Web/serverfarms\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/serverfarms/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-Website", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Web/sites\",\"field\":\"type\"},{\"notContains\":\"functionapp\",\"value\":\"[field('kind')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"AppServiceAntivirusScanAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceConsoleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceHTTPLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAppLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceFileAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServiceIPSecAuditLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AppServicePlatformLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Web/sites/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "display_name": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Diagnostics-iotHub", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"logsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable logs stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable logs\"},\"type\":\"String\"},\"metricsEnabled\":{\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\",\"metadata\":{\"description\":\"Whether to enable metrics stream to the Log Analytics workspace - True or False\",\"displayName\":\"Enable metrics\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Devices/IotHubs\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"logsEnabled\":{\"type\":\"String\"},\"metricsEnabled\":{\"type\":\"String\"},\"profileName\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-01-preview\",\"dependsOn\":[],\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"properties\":{\"logs\":[{\"category\":\"Connections\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceTelemetry\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DCommands\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceIdentityOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"FileUploadOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Routes\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"D2CTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"C2DTwinOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"TwinQueries\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"JobsOperations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DirectMethods\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DistributedTracing\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Configurations\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DeviceStreams\",\"enabled\":\"[parameters('logsEnabled')]\"}],\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"days\":0,\"enabled\":false},\"timeGrain\":null}],\"workspaceId\":\"[parameters('logAnalytics')]\"},\"type\":\"Microsoft.Devices/IotHubs/providers/diagnosticSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\"},{\"equals\":\"true\",\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\"},{\"equals\":\"[parameters('logAnalytics')]\",\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\"}]},\"name\":\"setByPolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Insights/diagnosticSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "display_name": "Deploy Azure Firewall Manager policy in the subscription", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "mode": "All", + "name": "Deploy-FirewallPolicy", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"fwPolicyRegion\":{\"metadata\":{\"description\":\"Select Azure region for Azure Firewall Policy\",\"displayName\":\"fwPolicyRegion\",\"strongType\":\"location\"},\"type\":\"String\"},\"fwpolicy\":{\"defaultValue\":{},\"metadata\":{\"description\":\"Object describing Azure Firewall Policy\",\"displayName\":\"fwpolicy\"},\"type\":\"Object\"},\"rgName\":{\"metadata\":{\"description\":\"Provide name for resource group.\",\"displayName\":\"rgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"fwPolicy\":{\"value\":\"[parameters('fwPolicy')]\"},\"fwPolicyRegion\":{\"value\":\"[parameters('fwPolicyRegion')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"fwPolicy\":{\"type\":\"object\"},\"fwPolicyRegion\":{\"type\":\"String\"},\"rgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-05-01\",\"location\":\"[deployment().location]\",\"name\":\"[parameters('rgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"},{\"apiVersion\":\"2018-05-01\",\"dependsOn\":[\"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"],\"name\":\"fwpolicies\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[],\"location\":\"[parameters('fwpolicy').location]\",\"name\":\"[parameters('fwpolicy').firewallPolicyName]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-09-01\",\"dependsOn\":[\"[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"],\"name\":\"[parameters('fwpolicy').ruleGroups.name]\",\"properties\":{\"priority\":\"[parameters('fwpolicy').ruleGroups.properties.priority]\",\"rules\":\"[parameters('fwpolicy').ruleGroups.properties.rules]\"},\"type\":\"ruleGroups\"}],\"tags\":{},\"type\":\"Microsoft.Network/firewallPolicies\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('rgName')]\",\"type\":\"Microsoft.Resources/deployments\"}]}}},\"deploymentScope\":\"subscription\",\"existenceScope\":\"resourceGroup\",\"resourceGroupName\":\"[parameters('rgName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/firewallPolicies\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-MySQL-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\",\"displayName\":\"Effect minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"Select version minimum TLS for MySQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforMySQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforMySQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforMySQL/servers/minimalTlsVersion\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforMySQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", + "display_name": "Deploys NSG flow logs and traffic analytics", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Nsg-FlowLogs", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"flowAnalyticsEnabled\":{\"defaultValue\":false,\"metadata\":{\"displayName\":\"Enable Traffic Analytics\"},\"type\":\"Boolean\"},\"logAnalytics\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"storageAccountResourceId\":{\"metadata\":{\"displayName\":\"Storage Account Resource Id\",\"strongType\":\"Microsoft.Storage/storageAccounts\"},\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"flowAnalyticsEnabled\":{\"value\":\"[parameters('flowAnalyticsEnabled')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"networkSecurityGroupName\":{\"value\":\"[field('name')]\"},\"resourceGroupName\":{\"value\":\"[resourceGroup().name]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"storageAccountResourceId\":{\"value\":\"[parameters('storageAccountResourceId')]\"},\"trafficAnalyticsInterval\":{\"value\":\"[parameters('trafficAnalyticsInterval')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"flowAnalyticsEnabled\":{\"type\":\"bool\"},\"location\":{\"type\":\"String\"},\"logAnalytics\":{\"type\":\"String\"},\"networkSecurityGroupName\":{\"type\":\"String\"},\"resourceGroupName\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"storageAccountResourceId\":{\"type\":\"String\"},\"trafficAnalyticsInterval\":{\"type\":\"int\"}},\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":\"[bool(parameters('flowAnalyticsEnabled'))]\",\"trafficAnalyticsInterval\":\"[parameters('trafficAnalyticsInterval')]\",\"workspaceId\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\"workspaceRegion\":\"[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\"workspaceResourceId\":\"[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[parameters('storageAccountResourceId')]\",\"targetResourceId\":\"[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\"},\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"},{\"equals\":\"[parameters('flowAnalyticsEnabled')]\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\"}]},\"resourceGroupName\":\"NetworkWatcherRG\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"type\":\"Microsoft.Network/networkWatchers/flowLogs\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "display_name": "Deploys NSG flow logs and traffic analytics to Log Analytics", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.1.0\"}", + "mode": "Indexed", + "name": "Deploy-Nsg-FlowLogs-to-LA", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"interval\":{\"defaultValue\":60,\"metadata\":{\"displayName\":\"Traffic Analytics processing interval mins (10/60)\"},\"type\":\"Integer\"},\"retention\":{\"defaultValue\":5,\"metadata\":{\"displayName\":\"Retention\"},\"type\":\"Integer\"},\"workspace\":{\"defaultValue\":\"\",\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Resource ID of Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Network/networkSecurityGroups\",\"field\":\"type\"}]},\"then\":{\"details\":{\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"interval\":{\"value\":\"[parameters('interval')]\"},\"location\":{\"value\":\"[field('location')]\"},\"networkSecurityGroup\":{\"value\":\"[field('id')]\"},\"retention\":{\"value\":\"[parameters('retention')]\"},\"workspace\":{\"value\":\"[parameters('workspace')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"interval\":{\"type\":\"int\"},\"location\":{\"type\":\"String\"},\"networkSecurityGroup\":{\"type\":\"String\"},\"retention\":{\"type\":\"int\"},\"time\":{\"defaultValue\":\"[utcNow()]\",\"type\":\"String\"},\"workspace\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-10-01\",\"name\":\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2019-06-01\",\"kind\":\"StorageV2\",\"location\":\"[parameters('location')]\",\"name\":\"[variables('storageAccountName')]\",\"properties\":{},\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"type\":\"Microsoft.Storage/storageAccounts\"}]}},\"resourceGroup\":\"[variables('resourceGroupName')]\",\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2019-10-01\",\"dependsOn\":[\"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"],\"name\":\"[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"apiVersion\":\"2020-05-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat('NetworkWatcher_', toLower(parameters('location')))]\",\"properties\":{},\"resources\":[{\"apiVersion\":\"2019-11-01\",\"dependsOn\":[\"[concat('NetworkWatcher_', toLower(parameters('location')))]\"],\"location\":\"[parameters('location')]\",\"name\":\"[concat(variables('securityGroupName'), '-Network-flowlog')]\",\"properties\":{\"enabled\":true,\"flowAnalyticsConfiguration\":{\"networkWatcherFlowAnalyticsConfiguration\":{\"enabled\":true,\"trafficAnalyticsInterval\":\"[parameters('interval')]\",\"workspaceResourceId\":\"[parameters('workspace')]\"}},\"format\":{\"type\":\"JSON\",\"version\":2},\"retentionPolicy\":{\"days\":\"[parameters('retention')]\",\"enabled\":true},\"storageId\":\"[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\"targetResourceId\":\"[parameters('networkSecurityGroup')]\"},\"type\":\"flowLogs\"}],\"type\":\"Microsoft.Network/networkWatchers\"}]}},\"resourceGroup\":\"NetworkWatcherRG\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{\"resourceGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[4]]\",\"securityGroupName\":\"[split(parameters('networkSecurityGroup'), '/')[8]]\",\"storageAccountName\":\"[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Network/networkWatchers/flowLogs/enabled\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\"resourceGroupName\":\"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/networkWatchers/flowlogs\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-PostgreSQL-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\",\"displayName\":\"Effect Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.DBforPostgreSQL/servers\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\"notEquals\":\"[parameters('minimalTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-12-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\",\"sslEnforcement\":\"[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\"},\"type\":\"Microsoft.DBforPostgreSQL/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\"},{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "SQL servers deploys a specific min TLS version requirement.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-SQL-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/servers\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/servers\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/servers/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "display_name": "Deploy SQL database auditing settings", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-AuditingSettings", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"auditActionsAndGroups\":[\"BATCH_COMPLETED_GROUP\",\"DATABASE_OBJECT_CHANGE_GROUP\",\"SCHEMA_OBJECT_CHANGE_GROUP\",\"BACKUP_RESTORE_GROUP\",\"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\"DATABASE_PRINCIPAL_CHANGE_GROUP\",\"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"USER_CHANGE_PASSWORD_GROUP\",\"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\"DATABASE_PERMISSION_CHANGE_GROUP\",\"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\"FAILED_DATABASE_AUTHENTICATION_GROUP\"],\"isAzureMonitorTargetEnabled\":true,\"state\":\"enabled\"},\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"enabled\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/state\"},{\"equals\":\"true\",\"field\":\"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\"}]},\"name\":\"default\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "display_name": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-SecurityAlertPolicies", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2018-06-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"disabledAlerts\":[\"\"],\"emailAccountAdmins\":true,\"emailAddresses\":[\"admin@contoso.com\"],\"retentionDays\":0,\"state\":\"Enabled\",\"storageAccountAccessKey\":\"\",\"storageEndpoint\":null},\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/servers/databases/securityAlertPolicies/state\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/securityAlertPolicies\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "display_name": "Deploy SQL Database Transparent Data Encryption ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-Tde", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2014-04-01\",\"name\":\"[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\"properties\":{\"status\":\"Enabled\"},\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"Enabled\",\"field\":\"Microsoft.Sql/transparentDataEncryption.status\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "display_name": "Deploy SQL Database vulnerability Assessments", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Sql-vulnerabilityAssessments", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"equals\":\"Microsoft.Sql/servers/databases\",\"field\":\"type\"},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"sqlServerDataBaseName\":{\"value\":\"[field('name')]\"},\"sqlServerName\":{\"value\":\"[first(split(field('fullname'),'/'))]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"sqlServerDataBaseName\":{\"type\":\"String\"},\"sqlServerName\":{\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-03-01-preview\",\"name\":\"[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\"properties\":{\"recurringScans\":{\"emailSubscriptionAdmins\":false,\"emails\":[\"[parameters('vulnerabilityAssessmentsEmail')]\"],\"isEnabled\":true},\"storageAccountAccessKey\":\"[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\"storageContainerPath\":\"[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\"},\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('vulnerabilityAssessmentsEmail')]\",\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\"},{\"equals\":true,\"field\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\"],\"type\":\"Microsoft.Sql/servers/databases/vulnerabilityAssessments\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "SQL managed instances deploy a specific min TLS version requirement.", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-SqlMi-minTLS", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version SQL servers\",\"displayName\":\"Effect SQL servers\"},\"type\":\"String\"},\"minimalTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.1\",\"1.0\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version SQL servers to enforce\",\"displayName\":\"Select version for SQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Sql/managedInstances\",\"field\":\"type\"},{\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\",\"notequals\":\"[parameters('minimalTlsVersion')]\"}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('minimalTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimalTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2020-02-02-preview\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimalTlsVersion\":\"[parameters('minimalTlsVersion')]\"},\"type\":\"Microsoft.Sql/managedInstances\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"[parameters('minimalTlsVersion')]\",\"field\":\"Microsoft.Sql/managedInstances/minimalTlsVersion\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.Sql/managedInstances\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "display_name": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Storage\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Storage-sslEnforcement", + "parameters": "{\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy minimum TLS version Azure STorage\",\"displayName\":\"Effect Azure STorage\"},\"type\":\"String\"},\"minimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure STorage to enforce\",\"displayName\":\"Select version for PostgreSQL server\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Storage/storageAccounts\",\"field\":\"type\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\"notEquals\":\"[parameters('minimumTlsVersion')]\"}]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('minimumTlsVersion')]\"},\"resourceName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"location\":{\"type\":\"String\"},\"minimumTlsVersion\":{\"type\":\"String\"},\"resourceName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2019-06-01\",\"location\":\"[parameters('location')]\",\"name\":\"[concat(parameters('resourceName'))]\",\"properties\":{\"minimumTlsVersion\":\"[parameters('minimumTlsVersion')]\",\"supportsHttpsTrafficOnly\":true},\"type\":\"Microsoft.Storage/storageAccounts\"}],\"variables\":{}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"true\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"},{\"equals\":\"[parameters('minimumTlsVersion')]\",\"field\":\"Microsoft.Storage/storageAccounts/minimumTlsVersion\"},{\"equals\":\"false\",\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\"}]},\"name\":\"current\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"],\"type\":\"Microsoft.DBforPostgreSQL/servers\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy deploys virtual network and peer to the hub", + "display_name": "Deploy Virtual Network with peering to the hub", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.1.0\"}", + "mode": "All", + "name": "Deploy-VNET-HubSpoke", + "parameters": "{\"dnsServers\":{\"defaultValue\":[],\"metadata\":{\"description\":\"Default domain servers for the vNET.\",\"displayName\":\"DNSServers\"},\"type\":\"Array\"},\"hubResourceId\":{\"metadata\":{\"description\":\"Resource ID for the HUB vNet\",\"displayName\":\"hubResourceId\"},\"type\":\"String\"},\"vNetCidrRange\":{\"metadata\":{\"description\":\"CIDR Range for the vNet\",\"displayName\":\"vNetCidrRange\"},\"type\":\"String\"},\"vNetLocation\":{\"metadata\":{\"description\":\"Location for the vNet\",\"displayName\":\"vNetLocation\"},\"type\":\"String\"},\"vNetName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet\",\"displayName\":\"vNetName\"},\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"metadata\":{\"description\":\"Enable gateway transit for the LZ network\",\"displayName\":\"vNetPeerUseRemoteGateway\"},\"type\":\"Boolean\"},\"vNetRgName\":{\"metadata\":{\"description\":\"Name of the landing zone vNet RG\",\"displayName\":\"vNetRgName\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Resources/subscriptions\",\"field\":\"type\"}]},\"then\":{\"details\":{\"ResourceGroupName\":\"[parameters('vNetRgName')]\",\"deployment\":{\"location\":\"northeurope\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"dnsServers\":{\"value\":\"[parameters('dnsServers')]\"},\"hubResourceId\":{\"value\":\"[parameters('hubResourceId')]\"},\"vNetCidrRange\":{\"value\":\"[parameters('vNetCidrRange')]\"},\"vNetLocation\":{\"value\":\"[parameters('vNetLocation')]\"},\"vNetName\":{\"value\":\"[parameters('vNetName')]\"},\"vNetPeerUseRemoteGateway\":{\"value\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"vNetRgName\":{\"value\":\"[parameters('vNetRgName')]\"}},\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"dnsServers\":{\"defaultValue\":[],\"type\":\"Array\"},\"hubResourceId\":{\"type\":\"String\"},\"vNetCidrRange\":{\"type\":\"String\"},\"vNetLocation\":{\"type\":\"String\"},\"vNetName\":{\"type\":\"String\"},\"vNetPeerUseRemoteGateway\":{\"defaultValue\":false,\"type\":\"bool\"},\"vNetRgName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-04-01\",\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetRgName')]\",\"properties\":{},\"type\":\"Microsoft.Resources/resourceGroups\"}],\"variables\":{}}},\"type\":\"Microsoft.Resources/deployments\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]\"],\"name\":\"[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[],\"location\":\"[parameters('vNetLocation')]\",\"name\":\"[parameters('vNetName')]\",\"properties\":{\"addressSpace\":{\"addressPrefixes\":[\"[parameters('vNetCidrRange')]\"]},\"dhcpOptions\":{\"dnsServers\":\"[parameters('dnsServers')]\"}},\"type\":\"Microsoft.Network/virtualNetworks\"},{\"apiVersion\":\"2021-02-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat(parameters('vNetName'), '/peerToHub')]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":false,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[parameters('hubResourceId')]\"},\"useRemoteGateways\":\"[parameters('vNetPeerUseRemoteGateway')]\"},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"},{\"apiVersion\":\"2021-04-01\",\"dependsOn\":[\"[parameters('vNetName')]\"],\"name\":\"[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]\",\"properties\":{\"expressionEvaluationOptions\":{\"scope\":\"inner\"},\"mode\":\"Incremental\",\"parameters\":{\"hubName\":{\"value\":\"[split(parameters('hubResourceId'),'/')[8]]\"},\"remoteVirtualNetwork\":{\"value\":\"[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"hubName\":{\"defaultValue\":false,\"type\":\"String\"},\"remoteVirtualNetwork\":{\"defaultValue\":false,\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2021-02-01\",\"name\":\"[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\"properties\":{\"allowForwardedTraffic\":true,\"allowGatewayTransit\":true,\"allowVirtualNetworkAccess\":true,\"remoteVirtualNetwork\":{\"id\":\"[[parameters('remoteVirtualNetwork')]\"},\"useRemoteGateways\":false},\"type\":\"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"}],\"variables\":{}}},\"resourceGroup\":\"[split(parameters('hubResourceId'),'/')[4]]\",\"subscriptionId\":\"[split(parameters('hubResourceId'),'/')[2]]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}},\"resourceGroup\":\"[parameters('vNetRgName')]\",\"type\":\"Microsoft.Resources/deployments\"}],\"variables\":{}}}},\"deploymentScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"name\",\"like\":\"[parameters('vNetName')]\"},{\"equals\":\"[parameters('vNetLocation')]\",\"field\":\"location\"}]},\"existenceScope\":\"resourceGroup\",\"name\":\"[parameters('vNetName')]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Network/virtualNetworks\"},\"effect\":\"deployIfNotExists\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]", + "mode": "managed", + "type": "azurerm_policy_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "display_name": "Deploy Windows Domain Join Extension with keyvault configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Guest Configuration\",\"version\":\"1.0.0\"}", + "mode": "Indexed", + "name": "Deploy-Windows-DomainJoin", + "parameters": "{\"domainFQDN\":{\"metadata\":{\"displayName\":\"domainFQDN\"},\"type\":\"String\"},\"domainOUPath\":{\"metadata\":{\"displayName\":\"domainOUPath\"},\"type\":\"String\"},\"domainPassword\":{\"metadata\":{\"displayName\":\"domainPassword\"},\"type\":\"String\"},\"domainUsername\":{\"metadata\":{\"displayName\":\"domainUsername\"},\"type\":\"String\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"keyVaultResourceId\":{\"metadata\":{\"displayName\":\"keyVaultResourceId\"},\"type\":\"String\"}}", + "policy_rule": "{\"if\":{\"allOf\":[{\"equals\":\"Microsoft.Compute/virtualMachines\",\"field\":\"type\"},{\"equals\":\"MicrosoftWindowsServer\",\"field\":\"Microsoft.Compute/imagePublisher\"},{\"equals\":\"WindowsServer\",\"field\":\"Microsoft.Compute/imageOffer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2008-R2-SP1-zhcn\",\"2012-Datacenter\",\"2012-datacenter-gensecond\",\"2012-Datacenter-smalldisk\",\"2012-datacenter-smalldisk-g2\",\"2012-Datacenter-zhcn\",\"2012-datacenter-zhcn-g2\",\"2012-R2-Datacenter\",\"2012-r2-datacenter-gensecond\",\"2012-R2-Datacenter-smalldisk\",\"2012-r2-datacenter-smalldisk-g2\",\"2012-R2-Datacenter-zhcn\",\"2012-r2-datacenter-zhcn-g2\",\"2016-Datacenter\",\"2016-datacenter-gensecond\",\"2016-datacenter-gs\",\"2016-Datacenter-Server-Core\",\"2016-datacenter-server-core-g2\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-datacenter-server-core-smalldisk-g2\",\"2016-Datacenter-smalldisk\",\"2016-datacenter-smalldisk-g2\",\"2016-Datacenter-with-Containers\",\"2016-datacenter-with-containers-g2\",\"2016-Datacenter-with-RDSH\",\"2016-Datacenter-zhcn\",\"2016-datacenter-zhcn-g2\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-datacenter-core-g2\",\"2019-Datacenter-Core-smalldisk\",\"2019-datacenter-core-smalldisk-g2\",\"2019-Datacenter-Core-with-Containers\",\"2019-datacenter-core-with-containers-g2\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-datacenter-core-with-containers-smalldisk-g2\",\"2019-datacenter-gensecond\",\"2019-datacenter-gs\",\"2019-Datacenter-smalldisk\",\"2019-datacenter-smalldisk-g2\",\"2019-Datacenter-with-Containers\",\"2019-datacenter-with-containers-g2\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-datacenter-with-containers-smalldisk-g2\",\"2019-Datacenter-zhcn\",\"2019-datacenter-zhcn-g2\",\"Datacenter-Core-1803-with-Containers-smalldisk\",\"datacenter-core-1803-with-containers-smalldisk-g2\",\"Datacenter-Core-1809-with-Containers-smalldisk\",\"datacenter-core-1809-with-containers-smalldisk-g2\",\"Datacenter-Core-1903-with-Containers-smalldisk\",\"datacenter-core-1903-with-containers-smalldisk-g2\",\"datacenter-core-1909-with-containers-smalldisk\",\"datacenter-core-1909-with-containers-smalldisk-g1\",\"datacenter-core-1909-with-containers-smalldisk-g2\"]}]},\"then\":{\"details\":{\"deployment\":{\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"domainFQDN\":{\"value\":\"[parameters('domainFQDN')]\"},\"domainOUPath\":{\"value\":\"[parameters('domainOUPath')]\"},\"domainPassword\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainPassword')]\"}},\"domainUsername\":{\"reference\":{\"keyVault\":{\"id\":\"[parameters('keyVaultResourceId')]\"},\"secretName\":\"[parameters('domainUsername')]\"}},\"keyVaultResourceId\":{\"value\":\"[parameters('keyVaultResourceId')]\"},\"location\":{\"value\":\"[field('location')]\"},\"vmName\":{\"value\":\"[field('name')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"outputs\":{},\"parameters\":{\"domainFQDN\":{\"type\":\"String\"},\"domainOUPath\":{\"type\":\"String\"},\"domainPassword\":{\"type\":\"securestring\"},\"domainUsername\":{\"type\":\"String\"},\"keyVaultResourceId\":{\"type\":\"String\"},\"location\":{\"type\":\"String\"},\"vmName\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2015-06-15\",\"location\":\"[resourceGroup().location]\",\"name\":\"[concat(variables('vmName'),'/joindomain')]\",\"properties\":{\"autoUpgradeMinorVersion\":true,\"protectedSettings\":{\"Password\":\"[parameters('domainPassword')]\"},\"publisher\":\"Microsoft.Compute\",\"settings\":{\"Name\":\"[parameters('domainFQDN')]\",\"OUPath\":\"[parameters('domainOUPath')]\",\"Options\":\"[variables('domainJoinOptions')]\",\"Restart\":\"true\",\"User\":\"[parameters('domainUserName')]\"},\"type\":\"JsonADDomainExtension\",\"typeHandlerVersion\":\"1.3\"},\"type\":\"Microsoft.Compute/virtualMachines/extensions\"}],\"variables\":{\"domainJoinOptions\":3,\"vmName\":\"[parameters('vmName')]\"}}}},\"existenceCondition\":{\"allOf\":[{\"equals\":\"JsonADDomainExtension\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\"},{\"equals\":\"Microsoft.Compute\",\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\"}]},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\"},\"effect\":\"[parameters('effect')]\"}}", + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "display_name": "Public network access should be disabled for PaaS services", + "management_group_id": "root-id-1", + "name": "Deny-PublicPaaSEndpoints", + "parameters": "{\"ACRPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Container Registires with exposed public endpoints \",\"displayName\":\"Public network access on Azure Container Registry disabled\"},\"type\":\"String\"},\"AFSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure File Sync instances with exposed public endpoints \",\"displayName\":\"Public network access on Azure File Sync disabled\"},\"type\":\"String\"},\"AKSPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies the creation of Azure Kubernetes Service non-private clusters\",\"displayName\":\"Public network access on AKS API should be disabled\"},\"type\":\"String\"},\"BatchPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Azure Batch Instances with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for Azure Batch Instances\"},\"type\":\"String\"},\"CosmosPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies that Cosmos database accounts are created with out public network access is disabled.\",\"displayName\":\"Public network access should be disabled for CosmosDB\"},\"type\":\"String\"},\"KeyVaultPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access should be disabled for KeyVault\"},\"type\":\"String\"},\"MySQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for MySQL Flexible Server\"},\"type\":\"String\"},\"PostgreSQLFlexPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\",\"displayName\":\"Public network access should be disabled for PostgreSql Flexible Server\"},\"type\":\"String\"},\"SqlServerPublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of Sql servers with exposed public endpoints\",\"displayName\":\"Public network access on Azure SQL Database should be disabled\"},\"type\":\"String\"},\"StoragePublicIpDenyEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Deny\",\"metadata\":{\"description\":\"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\",\"displayName\":\"Public network access onStorage accounts should be disabled\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "policy_group_names": null, + "reference_id": "CosmosDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "policy_group_names": null, + "reference_id": "KeyVaultDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "policy_group_names": null, + "reference_id": "SqlServerDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StoragePublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policy_group_names": null, + "reference_id": "StorageDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policy_group_names": null, + "reference_id": "AKSDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "policy_group_names": null, + "reference_id": "ACRDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AFSPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "policy_group_names": null, + "reference_id": "AFSDenyPaasPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "policy_group_names": null, + "reference_id": "PostgreSQLFlexDenyPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLFlexPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "policy_group_names": null, + "reference_id": "MySQLFlexDenyPublicIP" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchPublicIpDenyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "policy_group_names": null, + "reference_id": "BatchDenyPublicIP" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "display_name": "Deploy Diagnostic Settings to Azure Services", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Monitoring\",\"version\":\"1.0.0\"}", + "name": "Deploy-Diagnostics-LogAnalytics", + "parameters": "{\"ACILogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\"},\"type\":\"String\"},\"ACRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\"},\"type\":\"String\"},\"AKSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\"},\"type\":\"String\"},\"APIMgmtLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for API Management to Log Analytics workspace\"},\"type\":\"String\"},\"APIforFHIRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\"},\"type\":\"String\"},\"AnalysisServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\"},\"type\":\"String\"},\"AppServiceWebappLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for App Service to Log Analytics workspace\"},\"type\":\"String\"},\"ApplicationGatewayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"AutomationLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Automation to Log Analytics workspace\"},\"type\":\"String\"},\"BatchLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Batch to Log Analytics workspace\"},\"type\":\"String\"},\"CDNEndpointsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\"},\"type\":\"String\"},\"CognitiveServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\"},\"type\":\"String\"},\"CosmosLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\"},\"type\":\"String\"},\"DataExplorerClusterLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\"},\"type\":\"String\"},\"DataFactoryLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"DataLakeStoreLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\"},\"type\":\"String\"},\"DatabricksLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridSubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\"},\"type\":\"String\"},\"EventGridTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\"},\"type\":\"String\"},\"EventHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\"},\"type\":\"String\"},\"EventSystemTopicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\"},\"type\":\"String\"},\"ExpressRouteLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\"},\"type\":\"String\"},\"FirewallLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\"},\"type\":\"String\"},\"FrontDoorLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\"},\"type\":\"String\"},\"FunctionAppLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\"},\"type\":\"String\"},\"HDInsightLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\"},\"type\":\"String\"},\"IotHubLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\"},\"type\":\"String\"},\"KeyVaultLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\"},\"type\":\"String\"},\"LoadBalancerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsISELogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\"},\"type\":\"String\"},\"LogicAppsWFLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\"},\"type\":\"String\"},\"MariaDBLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\"},\"type\":\"String\"},\"MediaServiceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\"},\"type\":\"String\"},\"MlWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\"},\"type\":\"String\"},\"MySQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkNICLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkPublicIPNicLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\"},\"type\":\"String\"},\"NetworkSecurityGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\"},\"type\":\"String\"},\"PostgreSQLLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\"},\"type\":\"String\"},\"PowerBIEmbeddedLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\"},\"type\":\"String\"},\"RedisCacheLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\"},\"type\":\"String\"},\"RelayLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Relay to Log Analytics workspace\"},\"type\":\"String\"},\"SQLDBsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\"},\"type\":\"String\"},\"SQLElasticPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\"},\"type\":\"String\"},\"SQLMLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\"},\"type\":\"String\"},\"SearchServicesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\"},\"type\":\"String\"},\"ServiceBusLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\"},\"type\":\"String\"},\"SignalRLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\"},\"type\":\"String\"},\"StorageAccountsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\"},\"type\":\"String\"},\"StreamAnalyticsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\"},\"type\":\"String\"},\"TimeSeriesInsightsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\"},\"type\":\"String\"},\"TrafficManagerLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\"},\"type\":\"String\"},\"VMSSLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\"},\"type\":\"String\"},\"VNetGWLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\"displayName\":\"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualMachinesLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\"},\"type\":\"String\"},\"VirtualNetworkLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\"},\"type\":\"String\"},\"WVDAppGroupsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace\"},\"type\":\"String\"},\"WVDHostPoolsLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace\"},\"type\":\"String\"},\"WVDWorkspaceLogAnalyticsEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\"displayName\":\"Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"},\"profileName\":{\"defaultValue\":\"setbypolicy\",\"metadata\":{\"description\":\"The diagnostic settings profile name\",\"displayName\":\"Profile name\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageAccountsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", + "policy_group_names": null, + "reference_id": "StorageAccountDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDAppGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "policy_group_names": null, + "reference_id": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "policy_group_names": null, + "reference_id": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WVDHostPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "policy_group_names": null, + "reference_id": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACILogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "policy_group_names": null, + "reference_id": "ACIDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "policy_group_names": null, + "reference_id": "ACRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('AKSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "policy_group_names": null, + "reference_id": "AKSDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AnalysisServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "policy_group_names": null, + "reference_id": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIforFHIRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "policy_group_names": null, + "reference_id": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIMgmtLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "policy_group_names": null, + "reference_id": "APIMgmtDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ApplicationGatewayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "policy_group_names": null, + "reference_id": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AutomationLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "policy_group_names": null, + "reference_id": "AutomationDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('BatchLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "policy_group_names": null, + "reference_id": "BatchDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CDNEndpointsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "policy_group_names": null, + "reference_id": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "policy_group_names": null, + "reference_id": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "policy_group_names": null, + "reference_id": "CosmosDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DatabricksLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "policy_group_names": null, + "reference_id": "DatabricksDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataExplorerClusterLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "policy_group_names": null, + "reference_id": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataFactoryLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "policy_group_names": null, + "reference_id": "DataFactoryDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeStoreLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "policy_group_names": null, + "reference_id": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "policy_group_names": null, + "reference_id": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridSubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "policy_group_names": null, + "reference_id": "EventGridSubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventGridTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "policy_group_names": null, + "reference_id": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "policy_group_names": null, + "reference_id": "EventHubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EventSystemTopicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "policy_group_names": null, + "reference_id": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ExpressRouteLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "policy_group_names": null, + "reference_id": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FirewallLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "policy_group_names": null, + "reference_id": "FirewallDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FrontDoorLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "policy_group_names": null, + "reference_id": "FrontDoorDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionAppLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "policy_group_names": null, + "reference_id": "FunctionAppDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('HDInsightLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "policy_group_names": null, + "reference_id": "HDInsightDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('IotHubLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "policy_group_names": null, + "reference_id": "IotHubDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('KeyVaultLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "policy_group_names": null, + "reference_id": "KeyVaultDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LoadBalancerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "policy_group_names": null, + "reference_id": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsISELogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "policy_group_names": null, + "reference_id": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('LogicAppsWFLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "policy_group_names": null, + "reference_id": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MariaDBLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "policy_group_names": null, + "reference_id": "MariaDBDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MediaServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "policy_group_names": null, + "reference_id": "MediaServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MlWorkspaceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "policy_group_names": null, + "reference_id": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "policy_group_names": null, + "reference_id": "MySQLDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "policy_group_names": null, + "reference_id": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkNICLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "policy_group_names": null, + "reference_id": "NetworkNICDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "policy_group_names": null, + "reference_id": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "policy_group_names": null, + "reference_id": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"True\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "policy_group_names": null, + "reference_id": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "policy_group_names": null, + "reference_id": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisCacheLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "policy_group_names": null, + "reference_id": "RedisCacheDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RelayLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "policy_group_names": null, + "reference_id": "RelayDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SearchServicesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "policy_group_names": null, + "reference_id": "SearchServicesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ServiceBusLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "policy_group_names": null, + "reference_id": "ServiceBusDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SignalRLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "policy_group_names": null, + "reference_id": "SignalRDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"diagnosticsSettingNameToUse\":{\"value\":\"[parameters('profileName')]\"},\"effect\":{\"value\":\"[parameters('SQLDBsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "policy_group_names": null, + "reference_id": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "policy_group_names": null, + "reference_id": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLMLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "policy_group_names": null, + "reference_id": "SQLMDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "policy_group_names": null, + "reference_id": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "policy_group_names": null, + "reference_id": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('TrafficManagerLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "policy_group_names": null, + "reference_id": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualNetworkLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "policy_group_names": null, + "reference_id": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VirtualMachinesLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "policy_group_names": null, + "reference_id": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VMSSLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "policy_group_names": null, + "reference_id": "VMSSDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('VNetGWLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "policy_group_names": null, + "reference_id": "VNetGWDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "policy_group_names": null, + "reference_id": "AppServiceDeployDiagnosticLogDeployLogAnalytics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceWebappLogAnalyticsEffect')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "policy_group_names": null, + "reference_id": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy Microsoft Defender for Cloud configuration", + "display_name": "Deploy Microsoft Defender for Cloud configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Security Center\",\"version\":\"3.0.0\"}", + "name": "Deploy-MDFC-Config", + "parameters": "{\"ascExportResourceGroupLocation\":{\"metadata\":{\"description\":\"The location where the resource group and the export to Log Analytics workspace configuration are created.\",\"displayName\":\"Resource Group location for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"ascExportResourceGroupName\":{\"metadata\":{\"description\":\"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\",\"displayName\":\"Resource Group name for the export to Log Analytics workspace configuration\"},\"type\":\"String\"},\"emailSecurityContact\":{\"metadata\":{\"description\":\"Provide email address for Microsoft Defender for Cloud contact details\",\"displayName\":\"Security contacts email address\"},\"type\":\"string\"},\"enableAscForAppServices\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForArm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForContainers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForDns\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForKeyVault\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForOssDb\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForServers\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSql\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForSqlOnVm\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"enableAscForStorage\":{\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"String\"},\"logAnalytics\":{\"metadata\":{\"description\":\"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\"displayName\":\"Primary Log Analytics workspace\",\"strongType\":\"omsWorkspace\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForOssDb')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "policy_group_names": null, + "reference_id": "defenderForOssDb" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForServers')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "policy_group_names": null, + "reference_id": "defenderForVM" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSqlOnVm')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "policy_group_names": null, + "reference_id": "defenderForSqlServerVirtualMachines" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForAppServices')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "policy_group_names": null, + "reference_id": "defenderForAppServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForStorage')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "policy_group_names": null, + "reference_id": "defenderForStorageAccounts" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForContainers')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "policy_group_names": null, + "reference_id": "defenderforContainers" + }, + { + "parameter_values": "{\"Effect\":{\"value\":\"[parameters('enableAscForKeyVault')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "policy_group_names": null, + "reference_id": "defenderForKeyVaults" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForDns')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "policy_group_names": null, + "reference_id": "defenderForDns" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForArm')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "policy_group_names": null, + "reference_id": "defenderForArm" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('enableAscForSql')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "policy_group_names": null, + "reference_id": "defenderForSqlPaas" + }, + { + "parameter_values": "{\"emailSecurityContact\":{\"value\":\"[parameters('emailSecurityContact')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "policy_group_names": null, + "reference_id": "securityEmailContact" + }, + { + "parameter_values": "{\"resourceGroupLocation\":{\"value\":\"[parameters('ascExportResourceGroupLocation')]\"},\"resourceGroupName\":{\"value\":\"[parameters('ascExportResourceGroupName')]\"},\"workspaceResourceId\":{\"value\":\"[parameters('logAnalytics')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "policy_group_names": null, + "reference_id": "ascExport" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "display_name": "Configure Azure PaaS services to use private DNS zones", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Network\",\"version\":\"1.0.0\"}", + "name": "Deploy-Private-DNS-Zones", + "parameters": "{\"azureAcrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAcrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAppServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAppServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureAsrPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureAsrPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureBatchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureBatchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveSearchPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveSearchPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureCognitiveServicesPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureCognitiveServicesPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureDiskAccessPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureDiskAccessPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridDomainsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridDomainsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventGridTopicsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventGridTopicsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureEventHubNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureEventHubNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureFilePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureFilePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotHubsPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotHubsPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureIotPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureIotPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureKeyVaultPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureKeyVaultPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureMachineLearningWorkspacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureMachineLearningWorkspacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureRedisCachePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureRedisCachePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureServiceBusNamespacePrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureServiceBusNamespacePrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureSignalRPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureSignalRPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"azureWebPrivateDnsZoneId\":{\"metadata\":{\"description\":\"Private DNS Zone Identifier\",\"displayName\":\"azureWebPrivateDnsZoneId\",\"strongType\":\"Microsoft.Network/privateDnsZones\"},\"type\":\"string\"},\"effect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"},\"effect1\":{\"allowedValues\":[\"deployIfNotExists\",\"Disabled\"],\"defaultValue\":\"deployIfNotExists\",\"metadata\":{\"description\":\"Enable or disable the execution of the policy\",\"displayName\":\"Effect\"},\"type\":\"string\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureFileprivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-File-Sync" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureWebPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Web" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureBatchPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Batch" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-App" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAsrPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-Site-Recovery" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-IoT" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureKeyVaultPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-KeyVault" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureSignalRPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-SignalR" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAppServicesPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-AppServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventGridTopics" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureDiskAccessPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-DiskAccess" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-CognitiveServices" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureIotHubsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-IoTHubs" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect1')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventGridDomains" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureRedisCachePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-RedisCache" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureAcrPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-ACR" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-EventHubNamespace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-MachineLearningWorkspace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-ServiceBusNamespace" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('effect')]\"},\"privateDnsZoneId\":{\"value\":\"[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "policy_group_names": null, + "reference_id": "DINE-Private-DNS-Azure-CognitiveSearch" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "display_name": "Deploy SQL Database built-in SQL security configuration", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"SQL\",\"version\":\"1.0.0\"}", + "name": "Deploy-Sql-Security", + "parameters": "{\"SqlDbAuditingSettingsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy auditing settings to SQL Database when it not exist in the deployment\",\"displayName\":\"Deploy SQL database auditing settings\"},\"type\":\"String\"},\"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\"displayName\":\"Deploy SQL Database security Alert Policies configuration with email admin accounts\"},\"type\":\"String\"},\"SqlDbTdeDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\"displayName\":\"Deploy SQL Database Transparent Data Encryption \"},\"type\":\"String\"},\"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\"displayName\":\"Deploy SQL Database vulnerability Assessments\"},\"type\":\"String\"},\"vulnerabilityAssessmentsEmail\":{\"metadata\":{\"description\":\"The email address to send alerts\",\"displayName\":\"The email address to send alerts\"},\"type\":\"String\"},\"vulnerabilityAssessmentsStorageID\":{\"metadata\":{\"description\":\"The storage account ID to store assessments\",\"displayName\":\"The storage account ID to store assessments\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "policy_group_names": null, + "reference_id": "SqlDbTdeDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "policy_group_names": null, + "reference_id": "SqlDbSecurityAlertPoliciesDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "policy_group_names": null, + "reference_id": "SqlDbAuditingSettingsDeploySqlSecurity" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"},\"vulnerabilityAssessmentsEmail\":{\"value\":\"[parameters('vulnerabilityAssessmentsEmail')]\"},\"vulnerabilityAssessmentsStorageID\":{\"value\":\"[parameters('vulnerabilityAssessmentsStorageID')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "policy_group_names": null, + "reference_id": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", + "display_name": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", + "name": "Enforce-EncryptTransit", + "parameters": "{\"AKSIngressHttpsOnlyEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"deny\",\"metadata\":{\"description\":\"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\",\"displayName\":\"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\"},\"type\":\"String\"},\"APIAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"APIAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service API App. Latest TLS version should be used in your API App\"},\"type\":\"String\"},\"AppServiceHttpEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\"},\"type\":\"String\"},\"AppServiceTlsVersionEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\"displayName\":\"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\"},\"type\":\"String\"},\"AppServiceminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"App Service. Select version minimum TLS version for a Web App config to enforce\",\"displayName\":\"App Service. Select version minimum TLS Web App config\"},\"type\":\"String\"},\"FunctionLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Function App. Latest TLS version should be used in your Function App\"},\"type\":\"String\"},\"FunctionServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"MySQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\"},\"type\":\"String\"},\"MySQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\"},\"type\":\"String\"},\"MySQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"MySQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\"},\"type\":\"String\"},\"PostgreSQLEnableSSLEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\"},\"type\":\"String\"},\"PostgreSQLminimalTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_0\",\"TLS1_1\",\"TLSEnforcementDisabled\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\",\"displayName\":\"PostgreSQL database servers. Select version minimum TLS for MySQL server\"},\"type\":\"String\"},\"RedisMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for a Azure Cache for Redis to enforce\",\"displayName\":\"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSDeployEffect\":{\"allowedValues\":[\"Append\",\"Disabled\"],\"defaultValue\":\"Append\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\"},\"type\":\"String\"},\"RedisTLSEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\",\"displayName\":\"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\"},\"type\":\"String\"},\"SQLManagedInstanceMinTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure Managed Instanceto to enforce\",\"displayName\":\"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\"},\"type\":\"String\"},\"SQLManagedInstanceTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLManagedInstanceTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"SQL Managed Instance should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerTLSDeployEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\"displayName\":\"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\"},\"type\":\"String\"},\"SQLServerTLSEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\"displayName\":\"Azure SQL Database should have the minimal TLS version of 1.2\"},\"type\":\"String\"},\"SQLServerminTlsVersion\":{\"allowedValues\":[\"1.2\",\"1.0\",\"1.1\"],\"defaultValue\":\"1.2\",\"metadata\":{\"description\":\"Select version minimum TLS version for Azure SQL Database to enforce\",\"displayName\":\"Azure SQL Database.Select version minimum TLS for Azure SQL Database\"},\"type\":\"String\"},\"StorageDeployHttpsEnabledEffect\":{\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageHttpsEnabledEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\"displayName\":\"Azure Storage Account. Secure transfer to storage accounts should be enabled\"},\"type\":\"String\"},\"StorageminimumTlsVersion\":{\"allowedValues\":[\"TLS1_2\",\"TLS1_1\",\"TLS1_0\"],\"defaultValue\":\"TLS1_2\",\"metadata\":{\"description\":\"Select version minimum TLS version on Azure Storage Account to enforce\",\"displayName\":\"Storage Account select minimum TLS version\"},\"type\":\"String\"},\"WebAppServiceHttpsEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\",\"Deny\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\"displayName\":\"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\"},\"type\":\"String\"},\"WebAppServiceLatestTlsEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\",\"displayName\":\"App Service Web App. Latest TLS version should be used in your Web App\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceHttpEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "policy_group_names": null, + "reference_id": "AppServiceHttpEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AppServiceTlsVersionEffect')]\"},\"minTlsVersion\":{\"value\":\"[parameters('AppServiceminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "policy_group_names": null, + "reference_id": "AppServiceminTlsVersion" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", + "policy_group_names": null, + "reference_id": "APIAppServiceLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "policy_group_names": null, + "reference_id": "FunctionLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceLatestTlsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "policy_group_names": null, + "reference_id": "WebAppServiceLatestTlsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('APIAppServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "policy_group_names": null, + "reference_id": "APIAppServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('FunctionServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "policy_group_names": null, + "reference_id": "FunctionServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WebAppServiceHttpsEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "policy_group_names": null, + "reference_id": "WebAppServiceHttpsEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AKSIngressHttpsOnlyEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policy_group_names": null, + "reference_id": "AKSIngressHttpsOnlyEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "policy_group_names": null, + "reference_id": "MySQLEnableSSLDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('MySQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "policy_group_names": null, + "reference_id": "MySQLEnableSSLEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "policy_group_names": null, + "reference_id": "PostgreSQLEnableSSLDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLEnableSSLEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('PostgreSQLminimalTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "policy_group_names": null, + "reference_id": "PostgreSQLEnableSSLEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "policy_group_names": null, + "reference_id": "RedisTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSDeployEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "policy_group_names": null, + "reference_id": "RedisdisableNonSslPort" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('RedisTLSEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('RedisMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "policy_group_names": null, + "reference_id": "RedisDenyhttps" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "policy_group_names": null, + "reference_id": "SQLManagedInstanceTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLManagedInstanceTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLManagedInstanceMinTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "policy_group_names": null, + "reference_id": "SQLManagedInstanceTLSEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSDeployEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "policy_group_names": null, + "reference_id": "SQLServerTLSDeployEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SQLServerTLSEffect')]\"},\"minimalTlsVersion\":{\"value\":\"[parameters('SQLServerminTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "policy_group_names": null, + "reference_id": "SQLServerTLSEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "policy_group_names": null, + "reference_id": "StorageHttpsEnabledEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageDeployHttpsEnabledEffect')]\"},\"minimumTlsVersion\":{\"value\":\"[parameters('StorageMinimumTlsVersion')]\"}}", + "policy_definition_id": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "policy_group_names": null, + "reference_id": "StorageDeployHttpsEnabledEffect" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_policy_set_definition.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]", + "mode": "managed", + "type": "azurerm_policy_set_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "display_name": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "management_group_id": "root-id-1", + "metadata": "{\"category\":\"Encryption\",\"version\":\"1.0.0\"}", + "name": "Enforce-Encryption-CMK", + "parameters": "{\"ACRCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\",\"displayName\":\"Container registries should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"},\"AksCmkEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\",\"displayName\":\"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\"},\"type\":\"String\"},\"AzureBatchCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\",\"displayName\":\"Azure Batch account should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"CognitiveServicesCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\"},\"type\":\"String\"},\"CosmosCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\",\"displayName\":\"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"DataBoxCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\",\"displayName\":\"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\"},\"type\":\"String\"},\"EncryptedVMDisksEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\",\"displayName\":\"Disk encryption should be applied on virtual machines\"},\"type\":\"String\"},\"HealthcareAPIsCMKEffect\":{\"allowedValues\":[\"audit\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\",\"displayName\":\"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\"},\"type\":\"String\"},\"MySQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure MySQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"PostgreSQLCMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\"displayName\":\"Azure PostgreSQL servers bring your own key data protection should be enabled\"},\"type\":\"String\"},\"SqlServerTDECMKEffect\":{\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\",\"metadata\":{\"description\":\"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\",\"displayName\":\"SQL servers should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"StorageCMKEffect\":{\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\",\"displayName\":\"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\"},\"type\":\"String\"},\"StreamAnalyticsCMKEffect\":{\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\",\"metadata\":{\"description\":\"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\",\"displayName\":\"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\"},\"type\":\"String\"},\"SynapseWorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\",\"displayName\":\"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\"},\"type\":\"String\"},\"WorkspaceCMKEffect\":{\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\",\"metadata\":{\"description\":\"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\",\"displayName\":\"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\"},\"type\":\"String\"}}", + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('ACRCmkEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "policy_group_names": null, + "reference_id": "ACRCmkDeny" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AksCmkEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "policy_group_names": null, + "reference_id": "AksCmkDeny" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('WorkspaceCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "policy_group_names": null, + "reference_id": "WorkspaceCMK" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CognitiveServicesCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "policy_group_names": null, + "reference_id": "CognitiveServicesCMK" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('CosmosCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "policy_group_names": null, + "reference_id": "CosmosCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('DataBoxCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "policy_group_names": null, + "reference_id": "DataBoxCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StreamAnalyticsCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "policy_group_names": null, + "reference_id": "StreamAnalyticsCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SynapseWorkspaceCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "policy_group_names": null, + "reference_id": "SynapseWorkspaceCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('StorageCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "policy_group_names": null, + "reference_id": "StorageCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('MySQLCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "policy_group_names": null, + "reference_id": "MySQLCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('PostgreSQLCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "policy_group_names": null, + "reference_id": "PostgreSQLCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('SqlServerTDECMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policy_group_names": null, + "reference_id": "SqlServerTDECMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('HealthcareAPIsCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "policy_group_names": null, + "reference_id": "HealthcareAPIsCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('AzureBatchCMKEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "policy_group_names": null, + "reference_id": "AzureBatchCMKEffect" + }, + { + "parameter_values": "{\"effect\":{\"value\":\"[parameters('EncryptedVMDisksEffect')]\"}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "policy_group_names": null, + "reference_id": "EncryptedVMDisksEffect" + } + ], + "policy_type": "Custom", + "timeouts": null + }, + "sensitive_values": { + "policy_definition_group": [], + "policy_definition_reference": [ + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + }, + { + "parameters": {} + } + ] + } + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "2c342278-007c-54fe-9248-9b595e234ba9", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-connectivity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/21394dd9-69ec-512c-9de3-30b670daff24\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/21394dd9-69ec-512c-9de3-30b670daff24", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "21394dd9-69ec-512c-9de3-30b670daff24", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/6256b2eb-a3a1-5bda-bb68-dcead826f64c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/6256b2eb-a3a1-5bda-bb68-dcead826f64c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "6256b2eb-a3a1-5bda-bb68-dcead826f64c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/d15bcfa9-abc2-502b-89c1-315408118628\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/d15bcfa9-abc2-502b-89c1-315408118628", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "d15bcfa9-abc2-502b-89c1-315408118628", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-corp", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "913f587c-77a4-5440-ba16-48de7d0080d2", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "cfaa2796-3156-5c78-94a2-7c017ffe32bb", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-identity", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "1134e9e3-3bc3-5220-89e4-0c7ac5e0e779", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3621f075-0492-5ec9-a8ad-40d284e3e4d1", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7045a468-5463-57ef-85af-cd7f5397aa16", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "78b4dff1-81d0-5991-aec4-332fdce426cb", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "926ac02b-01f3-57dc-b7d0-b7a1056019f4", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "a3ca23ea-bd49-51a5-a288-c88857197d75", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "bfba15ef-a6d1-5f62-9730-d7ffc81bae8c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3cc45445-2e8f-5ed8-9e5a-0b73e3739c62", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-management", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/0a0d25df-fef2-54ff-901e-fc6477cebc55\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/0a0d25df-fef2-54ff-901e-fc6477cebc55", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "0a0d25df-fef2-54ff-901e-fc6477cebc55", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/3a8cf36e-00e1-5d48-b731-341ea13cf7d8\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/3a8cf36e-00e1-5d48-b731-341ea13cf7d8", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3a8cf36e-00e1-5d48-b731-341ea13cf7d8", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/5ce6aced-74a3-5723-aa63-eba8c6d90911\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/5ce6aced-74a3-5723-aa63-eba8c6d90911", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "5ce6aced-74a3-5723-aa63-eba8c6d90911", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/78569f4a-e104-5554-b21a-194423b56b0e\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/78569f4a-e104-5554-b21a-194423b56b0e", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "78569f4a-e104-5554-b21a-194423b56b0e", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/d3766627-b2af-5525-9be8-9d97a8759a39\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/d3766627-b2af-5525-9be8-9d97a8759a39", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "d3766627-b2af-5525-9be8-9d97a8759a39", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1-secure", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "130a22c1-674c-5a2a-b818-15ffc7d51207", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "19d1b7bb-0519-5651-91ab-25499f1709ad", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/1cfe15cf-6f9b-50ec-9633-06d5bc6524bd\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/1cfe15cf-6f9b-50ec-9633-06d5bc6524bd", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "1cfe15cf-6f9b-50ec-9633-06d5bc6524bd", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "281224b7-afc9-5e49-8553-8ca4d6c01a8a", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3c229c60-0645-5f79-82d7-19eb11ddf257\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3c229c60-0645-5f79-82d7-19eb11ddf257", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3c229c60-0645-5f79-82d7-19eb11ddf257", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3d13a056-fa9d-5f48-99ec-546f9eae65c7\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3d13a056-fa9d-5f48-99ec-546f9eae65c7", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "3d13a056-fa9d-5f48-99ec-546f9eae65c7", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "4a679915-ced3-5c00-88d6-4f66597b95a4", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "4e722adf-bfdc-516b-9dde-5eff6fbd980e", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "5ff839a8-6bd0-5967-b385-4340bdeda854", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "6ebb856f-5448-5efc-9dc4-07e7065dc6ff", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/70f977db-fccf-5d76-bb11-5ad6feb44946\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/70f977db-fccf-5d76-bb11-5ad6feb44946", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "70f977db-fccf-5d76-bb11-5ad6feb44946", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7eaea779-6033-5588-93af-e5dd34f731ab", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "7f9a44eb-87f1-5b90-bcff-fcf48b20b251", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "95eb7160-7dee-545e-8f03-79c8f032e209", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/97e99bb6-2763-5021-9eab-f1ffdac9b044\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/97e99bb6-2763-5021-9eab-f1ffdac9b044", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "97e99bb6-2763-5021-9eab-f1ffdac9b044", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/9f0d40ef-ca61-583f-a469-66e7a784d085\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/9f0d40ef-ca61-583f-a469-66e7a784d085", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "9f0d40ef-ca61-583f-a469-66e7a784d085", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "a77036d7-9519-59c5-8a42-5fc5ebe92c6c", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_assignment.policy_assignment[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/e6ebf244-85df-5894-9b3e-1860d63ddf5f\"]", + "mode": "managed", + "type": "azurerm_role_assignment", + "name": "policy_assignment", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/e6ebf244-85df-5894-9b3e-1860d63ddf5f", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "condition": null, + "condition_version": null, + "delegated_managed_identity_resource_id": null, + "description": null, + "name": "e6ebf244-85df-5894-9b3e-1860d63ddf5f", + "role_definition_id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_core.azurerm_role_definition.enterprise_scale[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]", + "mode": "managed", + "type": "azurerm_role_definition", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 1, + "values": { + "assignable_scopes": [ + "/providers/Microsoft.Management/managementGroups/root-id-1" + ], + "description": "Enterprise-scale custom Role Definition. Grants full access to manage Virtual Network subnets, but no other network resources.", + "name": "[ROOT-ID-1] Network-Subnet-Contributor", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*", + "Microsoft.Network/*/read", + "Microsoft.Network/virtualNetworks/subnets/*" + ], + "data_actions": null, + "not_actions": [], + "not_data_actions": null + } + ], + "role_definition_id": "6a8ddaca-120a-579a-a375-1abe30d29f6d", + "scope": "/providers/Microsoft.Management/managementGroups/root-id-1", + "timeouts": null + }, + "sensitive_values": { + "assignable_scopes": [ + false + ], + "permissions": [ + { + "actions": [ + false, + false, + false, + false, + false, + false, + false, + false + ], + "not_actions": [] + } + ] + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_management_group", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_management_group", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "120s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-1\"]", + "azurerm_management_group_level_2": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-decommissioned\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-platform\",\"/providers/Microsoft.Management/managementGroups/root-id-1-sandboxes\"]", + "azurerm_management_group_level_3": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management\",\"/providers/Microsoft.Management/managementGroups/root-id-1-online\",\"/providers/Microsoft.Management/managementGroups/root-id-1-sap\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure\"]", + "azurerm_management_group_level_4": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-global\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us\"]", + "azurerm_management_group_level_5": "[]", + "azurerm_management_group_level_6": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deny-Public-Endpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/policyAssignments/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-emea/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-web-us/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-HITRUST-HIPAA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Auditing\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_policy_set_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_set_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_set_definition_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_role_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_assignment_enterprise_scale": "[]", + "azurerm_policy_assignment_policy_assignment": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-connectivity/providers/Microsoft.Authorization/roleAssignments/2c342278-007c-54fe-9248-9b595e234ba9\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/21394dd9-69ec-512c-9de3-30b670daff24\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/6256b2eb-a3a1-5bda-bb68-dcead826f64c\",\"/providers/Microsoft.Management/managementGroups/root-id-1-corp/providers/Microsoft.Authorization/roleAssignments/d15bcfa9-abc2-502b-89c1-315408118628\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/913f587c-77a4-5440-ba16-48de7d0080d2\",\"/providers/Microsoft.Management/managementGroups/root-id-1-identity/providers/Microsoft.Authorization/roleAssignments/cfaa2796-3156-5c78-94a2-7c017ffe32bb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/1134e9e3-3bc3-5220-89e4-0c7ac5e0e779\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/3621f075-0492-5ec9-a8ad-40d284e3e4d1\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/7045a468-5463-57ef-85af-cd7f5397aa16\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/78b4dff1-81d0-5991-aec4-332fdce426cb\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/926ac02b-01f3-57dc-b7d0-b7a1056019f4\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/a3ca23ea-bd49-51a5-a288-c88857197d75\",\"/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones/providers/Microsoft.Authorization/roleAssignments/bfba15ef-a6d1-5f62-9730-d7ffc81bae8c\",\"/providers/Microsoft.Management/managementGroups/root-id-1-management/providers/Microsoft.Authorization/roleAssignments/3cc45445-2e8f-5ed8-9e5a-0b73e3739c62\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/0a0d25df-fef2-54ff-901e-fc6477cebc55\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/3a8cf36e-00e1-5d48-b731-341ea13cf7d8\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/5ce6aced-74a3-5723-aa63-eba8c6d90911\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/78569f4a-e104-5554-b21a-194423b56b0e\",\"/providers/Microsoft.Management/managementGroups/root-id-1-secure/providers/Microsoft.Authorization/roleAssignments/d3766627-b2af-5525-9be8-9d97a8759a39\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/130a22c1-674c-5a2a-b818-15ffc7d51207\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/19d1b7bb-0519-5651-91ab-25499f1709ad\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/1cfe15cf-6f9b-50ec-9633-06d5bc6524bd\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/281224b7-afc9-5e49-8553-8ca4d6c01a8a\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3c229c60-0645-5f79-82d7-19eb11ddf257\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/3d13a056-fa9d-5f48-99ec-546f9eae65c7\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4a679915-ced3-5c00-88d6-4f66597b95a4\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/4e722adf-bfdc-516b-9dde-5eff6fbd980e\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/5ff839a8-6bd0-5967-b385-4340bdeda854\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/6ebb856f-5448-5efc-9dc4-07e7065dc6ff\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/70f977db-fccf-5d76-bb11-5ad6feb44946\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7eaea779-6033-5588-93af-e5dd34f731ab\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/7f9a44eb-87f1-5b90-bcff-fcf48b20b251\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/95eb7160-7dee-545e-8f03-79c8f032e209\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/97e99bb6-2763-5021-9eab-f1ffdac9b044\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/9f0d40ef-ca61-583f-a469-66e7a784d085\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/a77036d7-9519-59c5-8a42-5fc5ebe92c6c\",\"/providers/Microsoft.Management/managementGroups/root-id-1/providers/Microsoft.Authorization/roleAssignments/e6ebf244-85df-5894-9b3e-1860d63ddf5f\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core.time_sleep.after_azurerm_role_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_role_definition_enterprise_scale": "[\"/providers/Microsoft.Authorization/roleDefinitions/6a8ddaca-120a-579a-a375-1abe30d29f6d\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + } + ], + "address": "module.test_core" + }, + { + "resources": [ + { + "address": "module.test_core_nested.azurerm_management_group.level_1[\"/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1\"]", + "mode": "managed", + "type": "azurerm_management_group", + "name": "level_1", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "display_name": "Nested Custom LZ1", + "name": "root-id-1-custom-lz1", + "parent_management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-landing-zones", + "timeouts": null + }, + "sensitive_values": { + "subscription_ids": [] + } + }, + { + "address": "module.test_core_nested.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed. Generated from custom Terraform template.", + "display_name": "Limit allowed locations for Resource Groups", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1", + "name": "Deny-RSG-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\",\"westus\",\"northcentralus\",\"southcentralus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core_nested.azurerm_management_group_policy_assignment.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]", + "mode": "managed", + "type": "azurerm_management_group_policy_assignment", + "name": "enterprise_scale", + "index": "/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "display_name": "Limit allowed locations for Resources", + "enforce": true, + "identity": [], + "location": "northeurope", + "management_group_id": "/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1", + "name": "Deny-Resource-Locations", + "non_compliance_message": [], + "not_scopes": [], + "parameters": "{\"listOfAllowedLocations\":{\"value\":[\"northcentralus\",\"southcentralus\"]}}", + "policy_definition_id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "non_compliance_message": [], + "not_scopes": [] + } + }, + { + "address": "module.test_core_nested.time_sleep.after_azurerm_management_group", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_management_group", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "120s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_level_1": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1\"]", + "azurerm_management_group_level_2": "[]", + "azurerm_management_group_level_3": "[]", + "azurerm_management_group_level_4": "[]", + "azurerm_management_group_level_5": "[]", + "azurerm_management_group_level_6": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core_nested.time_sleep.after_azurerm_policy_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_policy_assignment_enterprise_scale": "[\"/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-RSG-Locations\",\"/providers/Microsoft.Management/managementGroups/root-id-1-custom-lz1/providers/Microsoft.Authorization/policyAssignments/Deny-Resource-Locations\"]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core_nested.time_sleep.after_azurerm_policy_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core_nested.time_sleep.after_azurerm_policy_set_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_set_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_set_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core_nested.time_sleep.after_azurerm_role_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_assignment_enterprise_scale": "[]", + "azurerm_policy_assignment_policy_assignment": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_core_nested.time_sleep.after_azurerm_role_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_role_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + } + ], + "address": "module.test_core_nested" + }, + { + "resources": [ + { + "address": "module.test_management.azurerm_automation_account.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.Automation/automationAccounts/root-id-1-automation\"]", + "mode": "managed", + "type": "azurerm_automation_account", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.Automation/automationAccounts/root-id-1-automation", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "identity": [], + "location": "northeurope", + "name": "root-id-1-automation", + "resource_group_name": "root-id-1-mgmt", + "sku_name": "Basic", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null + }, + "sensitive_values": { + "identity": [], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_linked_service.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la/linkedServices/Automation\"]", + "mode": "managed", + "type": "azurerm_log_analytics_linked_service", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la/linkedServices/Automation", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "read_access_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.Automation/automationAccounts/root-id-1-automation", + "resource_group_name": "root-id-1-mgmt", + "tags": null, + "timeouts": null, + "workspace_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la", + "write_access_id": null + }, + "sensitive_values": {} + }, + { + "address": "module.test_management.azurerm_log_analytics_solution.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/AgentHealthAssessment(root-id-1-la)\"]", + "mode": "managed", + "type": "azurerm_log_analytics_solution", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/AgentHealthAssessment(root-id-1-la)", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "plan": [ + { + "product": "OMSGallery/AgentHealthAssessment", + "promotion_code": null, + "publisher": "Microsoft" + } + ], + "resource_group_name": "root-id-1-mgmt", + "solution_name": "AgentHealthAssessment", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null, + "workspace_name": "root-id-1-la", + "workspace_resource_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la" + }, + "sensitive_values": { + "plan": [ + {} + ], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_solution.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/AzureActivity(root-id-1-la)\"]", + "mode": "managed", + "type": "azurerm_log_analytics_solution", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/AzureActivity(root-id-1-la)", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "plan": [ + { + "product": "OMSGallery/AzureActivity", + "promotion_code": null, + "publisher": "Microsoft" + } + ], + "resource_group_name": "root-id-1-mgmt", + "solution_name": "AzureActivity", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null, + "workspace_name": "root-id-1-la", + "workspace_resource_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la" + }, + "sensitive_values": { + "plan": [ + {} + ], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_solution.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/ChangeTracking(root-id-1-la)\"]", + "mode": "managed", + "type": "azurerm_log_analytics_solution", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/ChangeTracking(root-id-1-la)", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "plan": [ + { + "product": "OMSGallery/ChangeTracking", + "promotion_code": null, + "publisher": "Microsoft" + } + ], + "resource_group_name": "root-id-1-mgmt", + "solution_name": "ChangeTracking", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null, + "workspace_name": "root-id-1-la", + "workspace_resource_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la" + }, + "sensitive_values": { + "plan": [ + {} + ], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_solution.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/ServiceMap(root-id-1-la)\"]", + "mode": "managed", + "type": "azurerm_log_analytics_solution", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/ServiceMap(root-id-1-la)", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "plan": [ + { + "product": "OMSGallery/ServiceMap", + "promotion_code": null, + "publisher": "Microsoft" + } + ], + "resource_group_name": "root-id-1-mgmt", + "solution_name": "ServiceMap", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null, + "workspace_name": "root-id-1-la", + "workspace_resource_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la" + }, + "sensitive_values": { + "plan": [ + {} + ], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_solution.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/Updates(root-id-1-la)\"]", + "mode": "managed", + "type": "azurerm_log_analytics_solution", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/Updates(root-id-1-la)", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "plan": [ + { + "product": "OMSGallery/Updates", + "promotion_code": null, + "publisher": "Microsoft" + } + ], + "resource_group_name": "root-id-1-mgmt", + "solution_name": "Updates", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null, + "workspace_name": "root-id-1-la", + "workspace_resource_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la" + }, + "sensitive_values": { + "plan": [ + {} + ], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_solution.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/VMInsights(root-id-1-la)\"]", + "mode": "managed", + "type": "azurerm_log_analytics_solution", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationsManagement/solutions/VMInsights(root-id-1-la)", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "plan": [ + { + "product": "OMSGallery/VMInsights", + "promotion_code": null, + "publisher": "Microsoft" + } + ], + "resource_group_name": "root-id-1-mgmt", + "solution_name": "VMInsights", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null, + "workspace_name": "root-id-1-la", + "workspace_resource_id": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la" + }, + "sensitive_values": { + "plan": [ + {} + ], + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_log_analytics_workspace.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la\"]", + "mode": "managed", + "type": "azurerm_log_analytics_workspace", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt/providers/Microsoft.OperationalInsights/workspaces/root-id-1-la", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 2, + "values": { + "daily_quota_gb": -1, + "internet_ingestion_enabled": true, + "internet_query_enabled": true, + "location": "northeurope", + "name": "root-id-1-la", + "resource_group_name": "root-id-1-mgmt", + "retention_in_days": 60, + "sku": "PerGB2018", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_management.azurerm_resource_group.management[\"/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt\"]", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "management", + "index": "/subscriptions/4d59de28-6dfe-4706-a4df-50ebe695a300/resourceGroups/root-id-1-mgmt", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "location": "northeurope", + "name": "root-id-1-mgmt", + "tags": { + "deployedBy": "terraform/azure/caf-enterprise-scale/test_framework/management" + }, + "timeouts": null + }, + "sensitive_values": { + "tags": {} + } + }, + { + "address": "module.test_management.time_sleep.after_azurerm_management_group", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_management_group", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_level_1": "[]", + "azurerm_management_group_level_2": "[]", + "azurerm_management_group_level_3": "[]", + "azurerm_management_group_level_4": "[]", + "azurerm_management_group_level_5": "[]", + "azurerm_management_group_level_6": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_management.time_sleep.after_azurerm_policy_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_management_group_policy_assignment_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_management.time_sleep.after_azurerm_policy_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_management.time_sleep.after_azurerm_policy_set_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_policy_set_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "30s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_set_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_management.time_sleep.after_azurerm_role_assignment", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_assignment", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "0s", + "destroy_duration": "0s", + "triggers": { + "azurerm_policy_assignment_enterprise_scale": "[]", + "azurerm_policy_assignment_policy_assignment": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + }, + { + "address": "module.test_management.time_sleep.after_azurerm_role_definition", + "mode": "managed", + "type": "time_sleep", + "name": "after_azurerm_role_definition", + "provider_name": "registry.terraform.io/hashicorp/time", + "schema_version": 0, + "values": { + "create_duration": "60s", + "destroy_duration": "0s", + "triggers": { + "azurerm_role_definition_enterprise_scale": "[]" + } + }, + "sensitive_values": { + "triggers": {} + } + } + ], + "address": "module.test_management" + } + ] +} diff --git a/tests/modules/test_003_add_mgmt_conn/providers.tf b/tests/modules/test_003_add_mgmt_conn/providers.tf new file mode 100644 index 00000000..83314ab1 --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/providers.tf @@ -0,0 +1,13 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "connectivity" + features {} +} + +provider "azurerm" { + alias = "management" + features {} +} diff --git a/tests/modules/test_003_add_mgmt_conn/settings.tf b/tests/modules/test_003_add_mgmt_conn/settings.tf new file mode 100644 index 00000000..efce301f --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/settings.tf @@ -0,0 +1,7 @@ +# Obtain configuration settings. +module "settings" { + source = "../settings" + + root_id = var.root_id + primary_location = var.primary_location +} diff --git a/tests/modules/test_003_add_mgmt_conn/terraform.tf b/tests/modules/test_003_add_mgmt_conn/terraform.tf new file mode 100644 index 00000000..dbf21f3a --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/terraform.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "2.96.0" + configuration_aliases = [ + azurerm.connectivity, + azurerm.management, + ] + } + } + backend "local" { + path = "../tfstate/test_framework.tfstate" + } +} diff --git a/tests/modules/test_003_add_mgmt_conn/variables.tf b/tests/modules/test_003_add_mgmt_conn/variables.tf new file mode 100644 index 00000000..ba5e59a8 --- /dev/null +++ b/tests/modules/test_003_add_mgmt_conn/variables.tf @@ -0,0 +1,31 @@ +variable "root_id" { + type = string + default = "12345" +} + +variable "root_name" { + type = string + default = "Test Framework" +} + +variable "primary_location" { + type = string + default = "northeurope" +} + +variable "secondary_location" { + type = string + default = "westeurope" +} + +variable "create_duration_delay" { + type = map(string) + default = { + azurerm_management_group = "120s" + } +} + +variable "destroy_duration_delay" { + type = map(string) + default = {} +} diff --git a/tests/deployment/lib/archetype_definitions/archetype_definition_customer_online.json b/tests/modules/test_lib/archetype_definitions/archetype_definition_customer_online.json similarity index 100% rename from tests/deployment/lib/archetype_definitions/archetype_definition_customer_online.json rename to tests/modules/test_lib/archetype_definitions/archetype_definition_customer_online.json diff --git a/tests/deployment/lib/archetype_definitions/archetype_definition_customer_secure.json b/tests/modules/test_lib/archetype_definitions/archetype_definition_customer_secure.json similarity index 100% rename from tests/deployment/lib/archetype_definitions/archetype_definition_customer_secure.json rename to tests/modules/test_lib/archetype_definitions/archetype_definition_customer_secure.json diff --git a/tests/deployment/lib/archetype_extensions/archetype_extension_es_root.json b/tests/modules/test_lib/archetype_extensions/archetype_extension_es_root.json similarity index 100% rename from tests/deployment/lib/archetype_extensions/archetype_extension_es_root.json rename to tests/modules/test_lib/archetype_extensions/archetype_extension_es_root.json diff --git a/tests/deployment/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.json.tftpl b/tests/modules/test_lib/policy_assignments/policy_assignment_es_deny_rsg_locations.json.tftpl similarity index 100% rename from tests/deployment/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.json.tftpl rename to tests/modules/test_lib/policy_assignments/policy_assignment_es_deny_rsg_locations.json.tftpl diff --git a/tests/deployment/lib/policy_assignments/policy_assignment_test_policy_definition.json b/tests/modules/test_lib/policy_assignments/policy_assignment_test_policy_definition.json similarity index 100% rename from tests/deployment/lib/policy_assignments/policy_assignment_test_policy_definition.json rename to tests/modules/test_lib/policy_assignments/policy_assignment_test_policy_definition.json diff --git a/tests/deployment/lib/policy_assignments/policy_assignment_test_policy_set_definition.json b/tests/modules/test_lib/policy_assignments/policy_assignment_test_policy_set_definition.json similarity index 100% rename from tests/deployment/lib/policy_assignments/policy_assignment_test_policy_set_definition.json rename to tests/modules/test_lib/policy_assignments/policy_assignment_test_policy_set_definition.json diff --git a/tests/opa/policy/management_groups.rego b/tests/opa/policy/management_groups.rego index 4591725c..b9383154 100644 --- a/tests/opa/policy/management_groups.rego +++ b/tests/opa/policy/management_groups.rego @@ -11,10 +11,10 @@ violation[management_group_display_name] { management_group_display_name := sprintf("The management_group_display_name planned values:\n \n %v \n \n are not equal to the management_group_display_name changed values:\n \n %v", [mgs_plan_display_name, mgs_change_display_name]) } -# # # Compare the management_group_name and fail if they are not equal. -violation[management_group_name] { +# # # Compare the management_group_id and fail if they are not equal. +violation[management_group_id] { mgs_plan_name != mgs_change_name - management_group_name := sprintf("The management_group_name planned values:\n \n %v \n \n are not equal to the management_group_name changed values:\n \n %v", [mgs_plan_name, mgs_change_name]) + management_group_id := sprintf("The management_group_id planned values:\n \n %v \n \n are not equal to the management_group_id changed values:\n \n %v", [mgs_plan_name, mgs_change_name]) } ######################## diff --git a/tests/opa/policy/policy_definitions.rego b/tests/opa/policy/policy_definitions.rego index 601c23de..d92f1c52 100644 --- a/tests/opa/policy/policy_definitions.rego +++ b/tests/opa/policy/policy_definitions.rego @@ -14,10 +14,10 @@ import data.child_modules # policy_definition_name := sprintf("The policy_definition_name planned values:\n \n %v \n \n are not equal to the policy_definition_name changed values:\n \n %v", [plc_def_plan_name, plc_def_change_name]) # } -# # # # Compare the policy_definition_management_group_name and fail if they are not equal. -# violation[policy_definition_management_group_name] { -# plc_def_plan_management_group_name != plc_def_change_management_group_name -# policy_definition_management_group_name := sprintf("The policy_definition_management_group_name planned values:\n \n %v \n \n are not equal to the policy_definition_management_group_name changed values:\n \n %v", [plc_def_plan_management_group_name, plc_def_change_management_group_name]) +# # # # Compare the policy_definition_management_group_id and fail if they are not equal. +# violation[policy_definition_management_group_id] { +# plc_def_plan_management_group_id != plc_def_change_management_group_id +# policy_definition_management_group_id := sprintf("The policy_definition_management_group_id planned values:\n \n %v \n \n are not equal to the policy_definition_management_group_id changed values:\n \n %v", [plc_def_plan_management_group_id, plc_def_change_management_group_id]) # } # # # # Compare the policy_definition_metadata and fail if they are not equal. @@ -62,24 +62,24 @@ plc_def_change_name[module_name] = pl_defs { ] } -# # # Get the management_group_name from all policy definitions in planned_values.yml -plc_def_plan_management_group_name[module_name] = pl_defs { +# # # Get the management_group_id from all policy definitions in planned_values.yml +plc_def_plan_management_group_id[module_name] = pl_defs { module := child_modules[_] module_name := module.address pl_defs := [pl_def | module.resources[i].type == "azurerm_policy_definition" - pl_def := module.resources[i].values.management_group_name + pl_def := module.resources[i].values.management_group_id ] } -# # # Get the management_group_name from all policy definitions in the opa.json -plc_def_change_management_group_name[module_name] = pl_defs { +# # # Get the management_group_id from all policy definitions in the opa.json +plc_def_change_management_group_id[module_name] = pl_defs { module := input.resource_changes[_] module_name := module.module_address pl_defs := [pl_def | input.resource_changes[r].type == "azurerm_policy_definition" input.resource_changes[r].module_address == module.module_address - pl_def := input.resource_changes[r].change.after.management_group_name + pl_def := input.resource_changes[r].change.after.management_group_id ] } diff --git a/tests/opa/policy/policy_set_definitions.rego b/tests/opa/policy/policy_set_definitions.rego index c1d4f473..832e688b 100644 --- a/tests/opa/policy/policy_set_definitions.rego +++ b/tests/opa/policy/policy_set_definitions.rego @@ -6,10 +6,10 @@ import data.child_modules # Rules ######################## -# # # Compare the policy_set_definition_management_group_name and fail if they are not equal. -violation[policy_set_definition_management_group_name] { - plc_set_def_plan_management_group_name != plc_set_def_change_management_group_name - policy_set_definition_management_group_name := sprintf("The policy_set_definition_management_group_name planned values:\n \n %v \n \n are not equal to the policy_set_definition_management_group_name changed values:\n \n %v", [plc_set_def_plan_management_group_name, plc_set_def_change_management_group_name]) +# # # Compare the policy_set_definition_management_group_id and fail if they are not equal. +violation[policy_set_definition_management_group_id] { + plc_set_def_plan_management_group_id != plc_set_def_change_management_group_id + policy_set_definition_management_group_id := sprintf("The policy_set_definition_management_group_id planned values:\n \n %v \n \n are not equal to the policy_set_definition_management_group_id changed values:\n \n %v", [plc_set_def_plan_management_group_id, plc_set_def_change_management_group_id]) } # # # Compare the policy_set_definition_metadata and fail if they are not equal. @@ -40,24 +40,24 @@ violation[policy_set_definition_reference] { # Library ######################## -# # # Get the management_group_name from all policy set definitions in planned_values.yml -plc_set_def_plan_management_group_name[module_name] = plcs { +# # # Get the management_group_id from all policy set definitions in planned_values.yml +plc_set_def_plan_management_group_id[module_name] = plcs { module := child_modules[_] module_name := module.address plcs := [plc | module.resources[i].type == "azurerm_policy_set_definition" - plc := module.resources[i].values.management_group_name + plc := module.resources[i].values.management_group_id ] } -# # # Get the management_group_name from all policy set definitions in the opa.json -plc_set_def_change_management_group_name[module_name] = plcs { +# # # Get the management_group_id from all policy set definitions in the opa.json +plc_set_def_change_management_group_id[module_name] = plcs { module := input.resource_changes[_] module_name := module.module_address plcs := [plc | input.resource_changes[r].type == "azurerm_policy_set_definition" input.resource_changes[r].module_address == module.module_address - plc := input.resource_changes[r].change.after.management_group_name + plc := input.resource_changes[r].change.after.management_group_id ] } diff --git a/tests/pipelines/spn-generator.yml b/tests/pipelines/spn-generator.yml index 1cf07faf..5d011656 100644 --- a/tests/pipelines/spn-generator.yml +++ b/tests/pipelines/spn-generator.yml @@ -1,5 +1,5 @@ --- -name: 'SPN generator' +name: "SPN generator" trigger: none @@ -7,16 +7,16 @@ pool: vmImage: ubuntu-20.04 variables: -- group: csu-tf-environment + - group: csu-tf-environment jobs: -- job: run_spn_generator - displayName: 'Run SPN generator' - steps: - - task: Bash@3 - displayName: 'Create or update SPN settings' - inputs: - targetType: 'inline' - script: 'make azp-spn-generator' - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) \ No newline at end of file + - job: run_spn_generator + displayName: "Run SPN Generator" + steps: + - task: Bash@3 + displayName: "Create or update SPN settings" + inputs: + targetType: "inline" + script: "make azp-spn-generator" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) diff --git a/tests/pipelines/templates/tests-backend.yml b/tests/pipelines/templates/tests-backend.yml new file mode 100644 index 00000000..0a84b53c --- /dev/null +++ b/tests/pipelines/templates/tests-backend.yml @@ -0,0 +1,10 @@ +--- +steps: + - task: Bash@3 + name: prepare_backend + displayName: "Prepare Backend Storage" + inputs: + targetType: "inline" + script: "make azp-backend" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) diff --git a/tests/pipelines/templates/tests-common.yml b/tests/pipelines/templates/tests-common.yml index 76c348d1..5a906ec2 100644 --- a/tests/pipelines/templates/tests-common.yml +++ b/tests/pipelines/templates/tests-common.yml @@ -1,27 +1,15 @@ --- steps: -- task: Bash@3 - displayName: 'Terraform (install)' - inputs: - targetType: 'inline' - script: 'make tf-install' + - task: Bash@3 + displayName: "Install Terraform Pre-requisites" + inputs: + targetType: "inline" + script: "make tf-install" -- task: Bash@3 - displayName: 'Terraform (prepare)' - inputs: - targetType: 'inline' - script: 'make tf-prepare' - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) - -- task: Bash@3 - displayName: 'Terraform (fmt)' - inputs: - targetType: 'inline' - script: 'make tf-fmt' - -- task: Bash@3 - displayName: 'Terraform (init)' - inputs: - targetType: 'inline' - script: 'make tf-init' \ No newline at end of file + - task: Bash@3 + displayName: "Prepare Terraform Environment" + inputs: + targetType: "inline" + script: "make tf-prepare" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) diff --git a/tests/pipelines/templates/tests-loop.yml b/tests/pipelines/templates/tests-loop.yml new file mode 100644 index 00000000..4d564eec --- /dev/null +++ b/tests/pipelines/templates/tests-loop.yml @@ -0,0 +1,56 @@ +--- +parameters: + - name: module_path + type: string + - name: run_type + type: string + +steps: + - task: Bash@3 + displayName: "[terraform init]" + inputs: + targetType: "inline" + script: "make tf-init" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + TEST_MODULE_PATH: "${{ parameters.module_path }}" + condition: and(succeeded(), in('${{ parameters.run_type }}', 'unit', 'e2e', 'destroy')) + + - task: Bash@3 + displayName: "[terraform plan]" + inputs: + targetType: "inline" + script: "make tf-plan" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + TEST_MODULE_PATH: "${{ parameters.module_path }}" + condition: and(succeeded(), in('${{ parameters.run_type }}', 'unit', 'e2e')) + + - task: Bash@3 + displayName: "[conftest run]" + inputs: + targetType: "inline" + script: "make opa-run-tests" + env: + TEST_MODULE_PATH: "${{ parameters.module_path }}" + condition: and(succeeded(), eq('${{ parameters.run_type }}', 'unit')) + + - task: Bash@3 + displayName: "[terraform apply]" + inputs: + targetType: "inline" + script: "make tf-apply" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + TEST_MODULE_PATH: "${{ parameters.module_path }}" + condition: and(succeeded(), eq('${{ parameters.run_type }}', 'e2e')) + + - task: Bash@3 + displayName: "[terraform destroy]" + inputs: + targetType: "inline" + script: "make tf-destroy" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + TEST_MODULE_PATH: "${{ parameters.module_path }}" + condition: and(succeeded(), eq('${{ parameters.run_type }}', 'destroy')) diff --git a/tests/pipelines/templates/tests-strategy.yml b/tests/pipelines/templates/tests-strategy.yml index f6cbe62a..d766b0df 100644 --- a/tests/pipelines/templates/tests-strategy.yml +++ b/tests/pipelines/templates/tests-strategy.yml @@ -1,11 +1,11 @@ --- steps: -- task: PowerShell@2 - name: build_strategy - displayName: "Generate Build Strategy" - inputs: - targetType: 'inline' - script: 'make azp-strategy' - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) - BILLING_SCOPE: $(BILLING_SCOPE) \ No newline at end of file + - task: PowerShell@2 + name: build_strategy + displayName: "Generate Build Strategy" + inputs: + targetType: "inline" + script: "make azp-strategy" + env: + ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + BILLING_SCOPE: $(BILLING_SCOPE) diff --git a/tests/pipelines/tests-e2e.yml b/tests/pipelines/tests-e2e.yml index e2b9c08c..90804101 100644 --- a/tests/pipelines/tests-e2e.yml +++ b/tests/pipelines/tests-e2e.yml @@ -1,5 +1,5 @@ --- -name: 'Tests (E2E)' +name: "Tests (E2E)" trigger: none @@ -7,43 +7,109 @@ pool: vmImage: ubuntu-20.04 variables: -- group: csu-tf-environment + - group: csu-tf-environment jobs: -- job: matrix_generator - displayName: 'Matrix Generator' - steps: - - template: templates/tests-strategy.yml + - job: matrix_generator + displayName: "Matrix Generator" + steps: + - template: templates/tests-strategy.yml -- job: run_e2e_tests - displayName: 'E2E Tests' - dependsOn: matrix_generator - strategy: - matrix: $[ dependencies.matrix_generator.outputs['build_strategy.matrix_json'] ] - steps: - - template: templates/tests-common.yml + - job: backend_generator + displayName: "Backend Storage Generator" + steps: + - template: templates/tests-backend.yml - - task: Bash@3 - displayName: 'Terraform (plan)' - inputs: - targetType: 'inline' - script: 'make tf-plan' - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + - job: run_e2e_tests_001 + displayName: "E2E Tests 001" + dependsOn: + - matrix_generator + - backend_generator + strategy: + matrix: $[ dependencies.matrix_generator.outputs['build_strategy.matrix_json'] ] + variables: + STORAGE_ACCOUNT_RSG_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_RSG_NAME'] ] + STORAGE_ACCOUNT_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_NAME'] ] + STORAGE_CONTAINER_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_CONTAINER_NAME'] ] + timeoutInMinutes: 30 + steps: + - template: templates/tests-common.yml - - task: Bash@3 - displayName: 'Terraform (apply)' - inputs: - targetType: 'inline' - script: 'make tf-apply' - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_001_baseline" + run_type: e2e - - task: Bash@3 - displayName: 'Terraform (destroy)' - inputs: - targetType: 'inline' - script: 'make tf-destroy' - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) - condition: always() \ No newline at end of file + - job: run_e2e_tests_002 + displayName: "E2E Tests 002" + dependsOn: + - matrix_generator + - backend_generator + - run_e2e_tests_001 + strategy: + matrix: $[ dependencies.matrix_generator.outputs['build_strategy.matrix_json'] ] + variables: + STORAGE_ACCOUNT_RSG_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_RSG_NAME'] ] + STORAGE_ACCOUNT_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_NAME'] ] + STORAGE_CONTAINER_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_CONTAINER_NAME'] ] + timeoutInMinutes: 30 + steps: + - template: templates/tests-common.yml + + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_002_add_custom_core" + run_type: e2e + + - job: run_e2e_tests_003 + displayName: "E2E Tests 003" + dependsOn: + - matrix_generator + - backend_generator + - run_e2e_tests_002 + strategy: + matrix: $[ dependencies.matrix_generator.outputs['build_strategy.matrix_json'] ] + variables: + STORAGE_ACCOUNT_RSG_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_RSG_NAME'] ] + STORAGE_ACCOUNT_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_NAME'] ] + STORAGE_CONTAINER_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_CONTAINER_NAME'] ] + timeoutInMinutes: 60 + steps: + - template: templates/tests-common.yml + + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_003_add_mgmt_conn" + run_type: e2e + + - job: run_e2e_clean_up + displayName: "E2E Clean-up" + dependsOn: + - matrix_generator + - backend_generator + - run_e2e_tests_003 + strategy: + matrix: $[ dependencies.matrix_generator.outputs['build_strategy.matrix_json'] ] + variables: + STORAGE_ACCOUNT_RSG_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_RSG_NAME'] ] + STORAGE_ACCOUNT_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_NAME'] ] + STORAGE_CONTAINER_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_CONTAINER_NAME'] ] + timeoutInMinutes: 60 + cancelTimeoutInMinutes: 60 + condition: | + or + ( + and + ( + or(failed(), canceled()), + ne(variables.ALWAYS_DESTROY, 'false') + ), + succeeded() + ) + steps: + - template: templates/tests-common.yml + + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_001_baseline" + run_type: destroy diff --git a/tests/pipelines/tests-unit.yml b/tests/pipelines/tests-unit.yml index a5293363..cb837ef0 100644 --- a/tests/pipelines/tests-unit.yml +++ b/tests/pipelines/tests-unit.yml @@ -15,30 +15,48 @@ jobs: steps: - template: templates/tests-strategy.yml + - job: backend_generator + displayName: "Backend Storage Generator" + steps: + - template: templates/tests-backend.yml + - job: run_unit_tests displayName: "Unit Tests" - dependsOn: matrix_generator + dependsOn: + - matrix_generator + - backend_generator strategy: matrix: $[ dependencies.matrix_generator.outputs['build_strategy.matrix_json'] ] + variables: + STORAGE_ACCOUNT_RSG_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_RSG_NAME'] ] + STORAGE_ACCOUNT_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_ACCOUNT_NAME'] ] + STORAGE_CONTAINER_NAME: $[ dependencies.backend_generator.outputs['prepare_backend.STORAGE_CONTAINER_NAME'] ] steps: - template: templates/tests-common.yml - task: Bash@3 - displayName: "Terraform (plan)" + displayName: "[terraform fmt]" inputs: targetType: "inline" - script: "make tf-plan" - env: - ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET) + script: "make tf-fmt" - task: Bash@3 - displayName: "Opa Conftest (install)" + displayName: "[conftest install]" inputs: targetType: "inline" script: "make opa-install" - - task: Bash@3 - displayName: "Conftest (run tests)" - inputs: - targetType: "inline" - script: "make opa-run-tests" + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_001_baseline" + run_type: unit + + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_002_add_custom_core" + run_type: unit + + - template: templates/tests-loop.yml + parameters: + module_path: "tests/modules/test_003_add_mgmt_conn" + run_type: unit diff --git a/tests/scripts/azp-backend.sh b/tests/scripts/azp-backend.sh new file mode 100755 index 00000000..9cf403a4 --- /dev/null +++ b/tests/scripts/azp-backend.sh @@ -0,0 +1,73 @@ +#!/usr/bin/bash +set -e + +# +# Shell Script +# - Terraform Create or Update Azure Backend Storage +# + +echo "==> Authenticating cli..." +az login \ + --service-principal \ + --tenant "$ARM_TENANT_ID" \ + --username "$ARM_CLIENT_ID" \ + --password "$ARM_CLIENT_SECRET" \ + --query [?isDefault] + +echo "==> Setting active Subscription..." +az account set \ + --subscription "$ARM_SUBSCRIPTION_ID" +az account list \ + --query "[?isDefault]" + +echo "==> Create or update Resource Group..." +RSG_NAME="$DEFAULT_PREFIX" +az group create \ + --name "$RSG_NAME" \ + --location "$PRIMARY_LOCATION" \ + --query 'properties.provisioningState' \ + --out tsv + +# Set STORAGE_ACCOUNT_RSG_NAME to an output variable for downstream consumption. +echo "##vso[task.setVariable variable=STORAGE_ACCOUNT_RSG_NAME;isOutput=true]$RSG_NAME" + +echo "==> Create or update Storage Account..." +# Storage account name must be lowercase alphanumeric +SA_NAME=$( + echo "$DEFAULT_PREFIX$PRIMARY_LOCATION" | + tr '[:upper:]' '[:lower:]' | + tr -cd '[:alnum:]' +) +SA_ID=$( + az storage account create \ + --name "$SA_NAME" \ + --resource-group "$RSG_NAME" \ + --location "$PRIMARY_LOCATION" \ + --kind 'StorageV2' \ + --access-tier 'Hot' \ + --sku 'Standard_LRS' \ + --min-tls-version 'TLS1_2' \ + --query 'id' \ + --out tsv +) + +# Set STORAGE_ACCOUNT_NAME to an output variable for downstream consumption. +echo "##vso[task.setVariable variable=STORAGE_ACCOUNT_NAME;isOutput=true]$SA_NAME" + +echo "==> Create or update Storage Account permissions..." +az role assignment create \ + --role 'Storage Blob Data Contributor' \ + --assignee "$ARM_CLIENT_ID" \ + --scope "$SA_ID" + +echo "==> Create or update Storage Account container..." +SC_NAME="tfstate" +az storage container create \ + --name "$SC_NAME" \ + --auth-mode 'login' \ + --account-name "$SA_NAME" \ + --query 'created' \ + --out tsv + +# Set STORAGE_CONTAINER_NAME to an output variable for downstream consumption. +echo "##vso[task.setVariable variable=STORAGE_CONTAINER_NAME;isOutput=true]$SC_NAME" diff --git a/tests/scripts/azp-spn-generator.sh b/tests/scripts/azp-spn-generator.sh index 9b1726df..1643102f 100755 --- a/tests/scripts/azp-spn-generator.sh +++ b/tests/scripts/azp-spn-generator.sh @@ -24,7 +24,7 @@ echo "==> Create or update Resource Group..." RSG_NAME="$DEFAULT_PREFIX" az group create \ --name "$RSG_NAME" \ - --location "$DEFAULT_LOCATION" \ + --location "$PRIMARY_LOCATION" \ --query 'properties.provisioningState' \ --out tsv @@ -44,7 +44,7 @@ if [ -z "$KV_EXISTS" ]; then az keyvault create \ --resource-group "$RSG_NAME" \ --name "$KEY_VAULT_NAME" \ - --location "$DEFAULT_LOCATION" \ + --location "$PRIMARY_LOCATION" \ --query 'properties.provisioningState' \ --out tsv else diff --git a/tests/scripts/azp-strategy.ps1 b/tests/scripts/azp-strategy.ps1 index ed715307..c81fcee8 100755 --- a/tests/scripts/azp-strategy.ps1 +++ b/tests/scripts/azp-strategy.ps1 @@ -23,6 +23,15 @@ $jsonDepth = 4 $terraformUrl = "https://api.github.com/repos/hashicorp/terraform/tags" $azurermProviderUrl = "https://registry.terraform.io/v1/providers/hashicorp/azurerm" +function Get-RandomId { + [CmdletBinding()] + [OutputType([String])] + param ( + [Int]$Length = 8 + ) + return -join ((48..57) + (97..122) | Get-Random -Count $Length | ForEach-Object { [char]$_ }) +} + ######################################## # Terraform Versions # - Base Version: "0.15.0" @@ -44,11 +53,11 @@ $terraformVersionsCount = $terraformVersions.Count ####################################### # Terraform AzureRM Provider Versions -# - Base Version: (2.77.0) +# - Base Version: (2.96.0) # - Latest Versions: (latest 1) ####################################### -$azurermProviderVersionBase = "2.77.0" +$azurermProviderVersionBase = "2.96.0" $azurermProviderVersionLatest = (Invoke-RestMethod -Method Get -Uri $azurermProviderUrl).version ####################################### @@ -149,6 +158,7 @@ for ($i = 0; $i -lt $terraformVersionsCount; $i++) { $matrixObject | Add-Member ` -NotePropertyName $jobName1 ` -NotePropertyValue @{ + TF_ROOT_ID = Get-RandomId TF_VERSION = $terraformVersion TF_AZ_VERSION = $azurermProviderVersionBase TF_JOB_ID = $jobId1 @@ -159,6 +169,7 @@ for ($i = 0; $i -lt $terraformVersionsCount; $i++) { $matrixObject | Add-Member ` -NotePropertyName $jobName2 ` -NotePropertyValue @{ + TF_ROOT_ID = Get-RandomId TF_VERSION = $terraformVersion TF_AZ_VERSION = $azurermProviderVersionLatest TF_JOB_ID = $jobId2 diff --git a/tests/scripts/opa-install.sh b/tests/scripts/opa-install-linux.sh similarity index 100% rename from tests/scripts/opa-install.sh rename to tests/scripts/opa-install-linux.sh diff --git a/tests/scripts/opa-install-windows.ps1 b/tests/scripts/opa-install-windows.ps1 new file mode 100644 index 00000000..3b144f1e --- /dev/null +++ b/tests/scripts/opa-install-windows.ps1 @@ -0,0 +1,65 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Conftest Install +# + +# Install Scoop +if (Get-command -name scoop -ErrorAction SilentlyContinue) { + Write-Output "==> Scoop exists, skip install" + scoop --version + scoop update +} +else { + Write-Output "`n" + Write-Output "==> To run Conftest tests on Windows, some utilities need to be installed with Scoop" + Write-Output "==> To install Scoop on Windows, run this command from a new terminal:" + Write-Output "`n" + Write-Output "Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https:\\get.scoop.sh')" + Write-Output "`n" + Write-Output "==> After installing Scoop, run: ./opa-values-generator.ps1" + Write-Output "`n" + exit +} + +# Install Terraform +if (Get-command -name terraform -ErrorAction SilentlyContinue) { + Write-Output "==> Terraform exists, skip install" + terraform version +} +else { + Write-Output "==> Install Terraform on Windows..." + scoop install terraform +} + +# Install jq +if (Get-command -name jq -ErrorAction SilentlyContinue) { + Write-Output "==> jq exists, skip install" + jq --version +} +else { + Write-Output "==> Install jq on Windows..." + scoop install jq +} + +# Install yq +if (Get-command -name yq -ErrorAction SilentlyContinue) { + Write-Output "==> yq exists, skip install" + yq --version +} +else { + Write-Output "==> Install yq on Windows..." + scoop install yq +} + +# Install Conftest +if (Get-command -name conftest -ErrorAction SilentlyContinue) { + Write-Output "==> conftest exists, skip install" + conftest --version +} +else { + Write-Output "==> Install conftest on Windows..." + scoop bucket add instrumenta https://github.com/instrumenta/scoop-instrumenta + scoop install conftest +} diff --git a/tests/scripts/opa-run-tests.sh b/tests/scripts/opa-run-tests.sh index 2bbffa5b..1832a4f6 100755 --- a/tests/scripts/opa-run-tests.sh +++ b/tests/scripts/opa-run-tests.sh @@ -6,7 +6,8 @@ set -e # - OPA Run Tests # # # Parameters -TF_PLAN_JSON="terraform-plan-$TF_VERSION-$TF_AZ_VERSION" +TF_WORKSPACE="$PIPELINE_WORKSPACE/s/$TEST_MODULE_PATH" +TF_PLAN_OUT="$TF_WORKSPACE/terraform-plan-$TF_VERSION-$TF_AZ_VERSION" # # # Store data temporarily TEMP_FILE_01=$(mktemp).json @@ -14,43 +15,42 @@ TEMP_FILE_02=$(mktemp).json # # # Update the planned_values.json with the latest parameters echo "==> Update planned values..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" -jq '(.. | strings) |= gsub("root-id-1"; "'"$TF_ROOT_ID_1"'")' planned_values.json >"$TEMP_FILE_01" -jq '(.. | strings) |= gsub("root-id-2"; "'"$TF_ROOT_ID_2"'")' "$TEMP_FILE_01" >"$TEMP_FILE_02" -jq '(.. | strings) |= gsub("root-id-3"; "'"$TF_ROOT_ID_3"'")' "$TEMP_FILE_02" >"$TEMP_FILE_01" +cd "$TF_WORKSPACE" +jq '(.. | strings) |= gsub("root-id-1"; "'"$TF_ROOT_ID"'")' planned_values.json >"$TEMP_FILE_01" jq '(.. | strings) |= gsub("root-name"; "ES-'"$TF_VERSION"'-'"$TF_AZ_VERSION"'")' "$TEMP_FILE_01" >"$TEMP_FILE_02" -jq '(.. | strings) |= gsub("eastus"; "eastus")' "$TEMP_FILE_02" >"$TF_PLAN_JSON"_updated_planned_values.json +jq '(.. | strings) |= gsub("northeurope"; "northeurope")' "$TEMP_FILE_02" >"$TEMP_FILE_01" +jq '(.. | strings) |= gsub("westeurope"; "westeurope")' "$TEMP_FILE_01" >"$TF_PLAN_OUT"_updated_planned_values.json -echo "==> Module Location - $DEFAULT_LOCATION" -echo "==> Azure {TF_ROOT_ID_1} - ${TF_ROOT_ID_1}" -echo "==> Azure TF_ROOT_ID_1 - $TF_ROOT_ID_1" +echo "==> Module Locations - $PRIMARY_LOCATION ($SECONDARY_LOCATION)" +echo "==> Azure {TF_ROOT_ID} - ${TF_ROOT_ID}" +echo "==> Azure TF_ROOT_ID - $TF_ROOT_ID" wait echo "==> Converting to yaml..." -yq <"$TF_PLAN_JSON"_updated_planned_values.json e -P - >../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +yq <"$TF_PLAN_OUT"_updated_planned_values.json e -P - >"$TF_PLAN_OUT"_updated_planned_values.yml wait echo "==> Check yaml for errors..." -yamllint -d relaxed ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +yamllint -d relaxed "$TF_PLAN_OUT"_updated_planned_values.yml echo "==> Running conftest..." echo echo "==> Testing management_groups..." -conftest test "$TF_PLAN_JSON".json -p ../opa/policy/management_groups.rego -d ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +conftest test "$TF_PLAN_OUT".json -p ../../opa/policy/management_groups.rego -d "$TF_PLAN_OUT"_updated_planned_values.yml echo echo "==> Testing role_definitions..." -conftest test "$TF_PLAN_JSON".json -p ../opa/policy/role_definitions.rego -d ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +conftest test "$TF_PLAN_OUT".json -p ../../opa/policy/role_definitions.rego -d "$TF_PLAN_OUT"_updated_planned_values.yml echo echo "==> Testing role_assignments..." -conftest test "$TF_PLAN_JSON".json -p ../opa/policy/role_assignments.rego -d ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +conftest test "$TF_PLAN_OUT".json -p ../../opa/policy/role_assignments.rego -d "$TF_PLAN_OUT"_updated_planned_values.yml echo echo "==> Testing policy_set_definitions..." -conftest test "$TF_PLAN_JSON".json -p ../opa/policy/policy_set_definitions.rego -d ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +conftest test "$TF_PLAN_OUT".json -p ../../opa/policy/policy_set_definitions.rego -d "$TF_PLAN_OUT"_updated_planned_values.yml echo echo "==> Testing policy_definitions..." -conftest test "$TF_PLAN_JSON".json -p ../opa/policy/policy_definitions.rego -d ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +conftest test "$TF_PLAN_OUT".json -p ../../opa/policy/policy_definitions.rego -d "$TF_PLAN_OUT"_updated_planned_values.yml echo echo "==> Testing policy_assignments..." -conftest test "$TF_PLAN_JSON".json -p ../opa/policy/policy_assignments.rego -d ../opa/policy/"$TF_PLAN_JSON"_updated_planned_values.yml +conftest test "$TF_PLAN_OUT".json -p ../../opa/policy/policy_assignments.rego -d "$TF_PLAN_OUT"_updated_planned_values.yml diff --git a/tests/scripts/opa-values-generator.ps1 b/tests/scripts/opa-values-generator.ps1 index e8e96400..bb514346 100644 --- a/tests/scripts/opa-values-generator.ps1 +++ b/tests/scripts/opa-values-generator.ps1 @@ -1,3 +1,5 @@ +#!/usr/bin/pwsh + ############################################### # Run tests and generate testing values. ############################################### @@ -6,9 +8,7 @@ # The script will install all the necessary components locally and run the tests. # After completing the tests, follow the script prompt for the next steps. - # # Parameters -$PLAN_NAME = "terraform-plan" $CONFIRM = "y" # # #? Run a local test against a different module configuration: @@ -16,142 +16,114 @@ $CONFIRM = "y" # # #* Copy paste the variables.tf file from deployment folder and adjust your main.tf ############################################### # # #* Path of the tested _es terraform module -$MODULE_PATH = "../deployment" +$BASE_PATH = $(Get-Location).Path +$MODULE_PATHS = @( + "$($BASE_PATH)/../modules/test_001_baseline" + "$($BASE_PATH)/../modules/test_002_add_custom_core" + "$($BASE_PATH)/../modules/test_003_add_mgmt_conn" +) ############################################### +$PWSH_OS = $PSVersionTable.OS +$PWSH_PLATFORM = $PSVersionTable.Platform -# Install Scoop -if (Get-command -name scoop -ErrorAction SilentlyContinue) { - Write-Output "==> Scoop exists, skip install" - scoop --version - scoop update +Write-Output "################################################" +Write-Output "==> Initiate installation of pre-requisites..." +Write-Output "==> OS : $PWSH_OS" +Write-Output "==> Platform : $PWSH_PLATFORM" +Write-Output "`n" + +if (($PWSH_OS -like "*Windows*") -and ($PWSH_PLATFORM -eq "Win32NT")) { + ./opa-install-windows.ps1 } -else { - Write-Output "`n" - Write-Output "==> To run Conftest tests on Windows, some utilities need to be installed with Scoop" - Write-Output "==> To install Scoop on Windows, run this command from a new terminal:" - Write-Output "`n" - Write-Output "Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https:\\get.scoop.sh')" - Write-Output "`n" - Write-Output "==> After installing Scoop, run: .\opa-values-generator.ps1" - Write-Output "`n" - exit +elseif (($PWSH_OS -like "Darwin*") -and ($PWSH_PLATFORM -eq "Unix")) { + Write-Output "Support for MacOS still in development. Please ensure pre-requisites are manually installed and re-run this script if errors occur due to missing software." +} +elseif (($PWSH_OS -like "Linux*") -and ($PWSH_PLATFORM -eq "Unix")) { + source opa-install-linux.sh } -# Install Terraform -if (Get-command -name terraform -ErrorAction SilentlyContinue) { - Write-Output "==> Terraform exists, skip install" - terraform version +Write-Output "`n" +Write-Output "==> Completed installation of pre-requisites." +Write-Output "################################################" +Write-Output "`n" + +foreach ($MODULE_PATH in $MODULE_PATHS) { + + if (-not ($MODULE_PATH | Test-Path)) { Throw "The directory does not exist, check entries in MODULE_PATHS variable on .\opa-values-generator.ps1 :line 18" } + + $TF_PLAN_OUT = "$MODULE_PATH/terraform_plan" + $PLANNED_VALUES = "$MODULE_PATH/planned_values" + $MODULE_NAME = Split-Path $MODULE_PATH -Leaf + + Write-Output "==> ($MODULE_NAME) - Change to the module root directory..." + Set-Location $MODULE_PATH + + Write-Output "==> ($MODULE_NAME) - Initializing infrastructure..." + terraform init -upgrade + + Write-Output "==> ($MODULE_NAME) - Planning infrastructure..." + terraform plan ` + -var="root_id=root-id-1" ` + -var="root_name=root-name" ` + -var="primary_location=northeurope" ` + -var="secondary_location=westeurope" ` + -out="$TF_PLAN_OUT" + + Write-Output "==> ($MODULE_NAME) - Converting plan to *.json..." + terraform show -json "$TF_PLAN_OUT" | Out-File -FilePath "$TF_PLAN_OUT.json" + + Write-Output "==> ($MODULE_NAME) - Removing the original plan..." + Remove-Item -Path "$TF_PLAN_OUT" + + Write-Output "==> ($MODULE_NAME) - Saving planned values to a temporary planned_values.json..." + Get-Content -Path "$TF_PLAN_OUT.json" | jq '.planned_values.root_module' | Out-File -FilePath "$PLANNED_VALUES.json" + + Write-Output "==> ($MODULE_NAME) - Converting to yaml..." + Get-Content -Path "$PLANNED_VALUES.json" | yq e -P - | Tee-Object "$PLANNED_VALUES.yml" + + # # # Run OPA Tests + Set-Location $MODULE_PATH + Write-Output "==> ($MODULE_NAME) - Running conftest..." + + Write-Output "==> ($MODULE_NAME) - Testing management_groups..." + conftest test "$TF_PLAN_OUT.json" -p ../../opa/policy/management_groups.rego -d "$PLANNED_VALUES.yml" + + Write-Output "==> ($MODULE_NAME) - Testing role_definitions..." + conftest test "$TF_PLAN_OUT.json" -p ../../opa/policy/role_definitions.rego -d "$PLANNED_VALUES.yml" + + Write-Output "==> ($MODULE_NAME) - Testing role_assignments..." + conftest test "$TF_PLAN_OUT.json" -p ../../opa/policy/role_assignments.rego -d "$PLANNED_VALUES.yml" + + Write-Output "==> ($MODULE_NAME) - Testing policy_set_definitions..." + conftest test "$TF_PLAN_OUT.json" -p ../../opa/policy/policy_set_definitions.rego -d "$PLANNED_VALUES.yml" + + Write-Output "==> ($MODULE_NAME) - Testing policy_definitions..." + conftest test "$TF_PLAN_OUT.json" -p ../../opa/policy/policy_definitions.rego -d "$PLANNED_VALUES.yml" + + Write-Output "==> ($MODULE_NAME) - Testing policy_assignments..." + conftest test "$TF_PLAN_OUT.json" -p ../../opa/policy/policy_assignments.rego -d "$PLANNED_VALUES.yml" + + # # # Remove comments and $CONFIRM parameter for CMD prompt. + # # # $CONFIRM = Read-Host "Do you want to prepare files for repository (y/n)?" + if ($CONFIRM -eq 'y') { + Write-Output "`n" + Remove-Item -Path "$TF_PLAN_OUT.json" + Write-Output "==> ($MODULE_NAME) - $TF_PLAN_OUT.json has been removed" + Write-Output "`n" + Remove-Item -Path "$PLANNED_VALUES.yml" + Write-Output "==> ($MODULE_NAME) - $PLANNED_VALUES.yml has been removed" + Write-Output "`n" + } + else { + Write-Warning -Message "($MODULE_NAME) - $TF_PLAN_OUT.json can contain sensitive data" + Write-Warning -Message "($MODULE_NAME) - Exposing $TF_PLAN_OUT.json in a repository can cause security breach" + Write-Output "`n" + Write-Output "($MODULE_NAME) - From within your terraform root module: conftest test $TF_PLAN_OUT.json -p ../../opa/policy/ -d $PLANNED_VALUES.yml" + Write-Output "`n" + } + + Write-Output "==> ($MODULE_NAME) - Return to scripts directory..." + Set-Location $BASE_PATH + } -else { - Write-Output "==> Install Terraform on Windows..." - scoop install terraform -} - -# Install jq -if (Get-command -name jq -ErrorAction SilentlyContinue) { - Write-Output "==> jq exists, skip install" - jq --version -} -else { - Write-Output "==> Install jq on Windows..." - scoop install jq -} - -# Install yq -if (Get-command -name yq -ErrorAction SilentlyContinue) { - Write-Output "==> yq exists, skip install" - yq --version -} -else { - Write-Output "==> Install yq on Windows..." - scoop install yq -} - -# Install Conftest -if (Get-command -name conftest -ErrorAction SilentlyContinue) { - Write-Output "==> conftest exists, skip install" - conftest --version -} -else { - Write-Output "==> Install conftest on Windows..." - scoop bucket add instrumenta https://github.com/instrumenta/scoop-instrumenta - scoop install conftest -} - - - -if (-not ($MODULE_PATH | Test-Path)) { Throw "The directory does not exist, check path on .\opa-values-generator.ps1 :line 18" } - -Write-Output "==> Change to the module root directory..." -Set-Location $MODULE_PATH - -Write-Output "==> Initializing infrastructure..." -terraform init - -Write-Output "==> Planning infrastructure..." -terraform plan ` - -var="root_id_1=root-id-1" ` - -var="root_id_2=root-id-2" ` - -var="root_id_3=root-id-3" ` - -var="root_name=root-name" ` - -var="location=eastus" ` - -out="$PLAN_NAME" - -Write-Output "==> Converting plan to *.json..." -terraform show -json $PLAN_NAME | Out-File -FilePath .\$PLAN_NAME.json - -Write-Output "==> Removing the original plan..." -Remove-Item -Path .\$PLAN_NAME - -Write-Output "==> Saving planned values to a temporary planned_values.json..." -Get-Content -Path .\$PLAN_NAME.json | jq '.planned_values.root_module' | Out-File -FilePath .\planned_values.json - -Write-Output "==> Converting to yaml..." -Get-Content -Path .\planned_values.json | yq e -P - | Tee-Object ..\opa\policy\planned_values.yml - - -# # # Run OPA Tests -Set-Location $MODULE_PATH -Write-Output "==> Running conftest..." - -Write-Output "==> Testing management_groups..." -conftest test "$PLAN_NAME.json" -p ..\opa\policy\management_groups.rego -d ..\opa\policy\planned_values.yml - -Write-Output "==> Testing role_definitions..." -conftest test "$PLAN_NAME.json" -p ..\opa\policy\role_definitions.rego -d ..\opa\policy\planned_values.yml - -Write-Output "==> Testing role_assignments..." -conftest test "$PLAN_NAME.json" -p ..\opa\policy\role_assignments.rego -d ..\opa\policy\planned_values.yml - -Write-Output "==> Testing policy_set_definitions..." -conftest test "$PLAN_NAME.json" -p ..\opa\policy\policy_set_definitions.rego -d ..\opa\policy\planned_values.yml - -Write-Output "==> Testing policy_definitions..." -conftest test "$PLAN_NAME.json" -p ..\opa\policy\policy_definitions.rego -d ..\opa\policy\planned_values.yml - -Write-Output "==> Testing policy_assignments..." -conftest test "$PLAN_NAME.json" -p ..\opa\policy\policy_assignments.rego -d ..\opa\policy\planned_values.yml - - - -# # # Remove comments and $CONFIRM parameter for CMD prompt. -# # # $CONFIRM = Read-Host "Do you want to prepare files for repository (y/n)?" -if ($CONFIRM -eq 'y') { - Write-Output "`n" - Remove-Item -Path .\$PLAN_NAME.json - Write-Output "$PLAN_NAME.json has been removed from your root module" - Write-Output "`n" - Remove-Item -Path ..\opa\policy\planned_values.yml - Write-Output "planned_values.yml has been removed from your \opa\policy\ directory" - Write-Output "`n" -} -else { - Write-Warning -Message "$PLAN_NAME.json can contain sensitive data" - Write-Warning -Message "Exposing $PLAN_NAME.json in a repository can cause security breach" - Write-Output "`n" - Write-Output "From within your terraform root module: conftest test $PLAN_NAME.json -p ..\opa\policy\ -d ..\opa\policy\planned_values.yml" - Write-Output "`n" -} - - diff --git a/tests/scripts/opa-values-generator.sh b/tests/scripts/opa-values-generator.sh deleted file mode 100755 index e00e056e..00000000 --- a/tests/scripts/opa-values-generator.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/env bash -set -e - -# -# Shell Script -# - OPA Run Tests -############################################### -# Run tests and generate testing values. -############################################### - -# # Parameters -PLAN_NAME=terraform-plan -CONFIRM="y" - -# shellcheck source=tests/scripts/opa-install.sh -source opa-install.sh - -# Run this locally to test your terraform configuration and generate the values needed for the automation pipeline. -# The script will install all the necessary components locally and run the tests. -# After completing the tests, follow the script prompt for the next steps. -# -# # #? Run a local test against a different module configuration: -# # #* Update the path to run the tests on a different folder (example: ../deployment_2) -# # #* Copy paste the variables.tf file from deployment folder and adjust your main.tf -############################################### -# # #* Path of the tested _es terraform module -MODULE_PATH="../deployment" -############################################### - -echo -if [ ! -d "$MODULE_PATH" ]; then - echo "The ${MODULE_PATH} directory does not exist, check path on .\opa-values-generator.sh :line 26" - exit -fi - -echo "==> Change to the module root directory..." -cd $MODULE_PATH - -echo "==> Initializing infrastructure..." -terraform init - -echo "==> Planning infrastructure..." -terraform plan \ - -var="root_id_1=root-id-1" \ - -var="root_id_2=root-id-2" \ - -var="root_id_3=root-id-3" \ - -var="root_name=root-name" \ - -var="location=eastus" \ - -out=$PLAN_NAME - -echo "==> Converting plan to *.json..." -terraform show -json "$PLAN_NAME" >"$PLAN_NAME".json - -echo "==> Removing the original plan..." -rm "$PLAN_NAME" - -echo "==> Saving planned values to a temporary planned_values.json..." -jq <"$PLAN_NAME.json" '.planned_values.root_module' >planned_values.json - -echo "==> Converting to yaml..." -yq ../opa/policy/planned_values.yml - -echo "==> Check yaml for errors..." -yamllint -d relaxed ../opa/policy/planned_values.yml - -echo "==> Running conftest..." -cd $MODULE_PATH -echo -echo "==> Testing management_groups..." -conftest test "$PLAN_NAME".json -p ../opa/policy/management_groups.rego -d ../opa/policy/planned_values.yml -echo -echo "==> Testing role_definitions..." -conftest test "$PLAN_NAME".json -p ../opa/policy/role_definitions.rego -d ../opa/policy/planned_values.yml -echo -echo "==> Testing role_assignments..." -conftest test "$PLAN_NAME".json -p ../opa/policy/role_assignments.rego -d ../opa/policy/planned_values.yml -echo -echo "==> Testing policy_set_definitions..." -conftest test "$PLAN_NAME".json -p ../opa/policy/policy_set_definitions.rego -d ../opa/policy/planned_values.yml -echo -echo "==> Testing policy_definitions..." -conftest test "$PLAN_NAME".json -p ../opa/policy/policy_definitions.rego -d ../opa/policy/planned_values.yml -echo -echo "==> Testing policy_assignments..." -conftest test "$PLAN_NAME".json -p ../opa/policy/policy_assignments.rego -d ../opa/policy/planned_values.yml - -# # # Remove "<<-EOF $CONFIRM EOF" for CMD prompt. -echo -read -r -p "Do you want to prepare files for repository (y/n)?" CONT <<-EOF -$CONFIRM -EOF -if [ "$CONT" = "y" ]; then - rm $PLAN_NAME.json - echo - echo "$PLAN_NAME.json has been removed from your root module" - echo - rm ../opa/policy/planned_values.yml - echo "planned_values.yml has been removed from your /opa/policy/ directory" - echo -else - echo - echo "$PLAN_NAME.json can contain sensitive data" - echo - echo "Exposing $PLAN_NAME.json in a repository can cause security breach" - echo - echo "From within your terraform root module: conftest test $PLAN_NAME.json -p ../opa/policy/ -d ../opa/policy/planned_values.yml" -fi diff --git a/tests/scripts/tf-apply.sh b/tests/scripts/tf-apply.sh index 1a6f0c03..dce56c4c 100755 --- a/tests/scripts/tf-apply.sh +++ b/tests/scripts/tf-apply.sh @@ -6,12 +6,16 @@ set -e # - Terraform Apply # +TF_WORKSPACE="$PIPELINE_WORKSPACE/s/$TEST_MODULE_PATH" +TF_PLAN_OUT="$TF_WORKSPACE/terraform-plan-$TF_VERSION-$TF_AZ_VERSION" +TF_STATE="../tfstate/terraform-$TF_VERSION-$TF_AZ_VERSION.tfstate" + echo "==> Switching directories..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" +cd "$TF_WORKSPACE" echo "==> Applying infrastructure..." terraform apply \ -auto-approve \ - -parallelism=50 \ - -state="./terraform-$TF_VERSION-$TF_AZ_VERSION.tfstate" \ - "terraform-plan-$TF_VERSION-$TF_AZ_VERSION" + -parallelism="$PARALLELISM" \ + -state="$TF_STATE" \ + "$TF_PLAN_OUT" diff --git a/tests/scripts/tf-destroy.sh b/tests/scripts/tf-destroy.sh index 5233925d..3dadb4a0 100755 --- a/tests/scripts/tf-destroy.sh +++ b/tests/scripts/tf-destroy.sh @@ -6,20 +6,20 @@ set -e # - Terraform Destroy # +TF_WORKSPACE="$PIPELINE_WORKSPACE/s/$TEST_MODULE_PATH" + echo "==> Switching directories..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" +cd "$TF_WORKSPACE" echo "==> Destroying infrastructure..." # shellcheck disable=SC2153 # Environment variables set by pipeline terraform destroy \ - -var "location=$DEFAULT_LOCATION" \ - -var "root_id_1=$TF_ROOT_ID_1" \ - -var "root_id_2=$TF_ROOT_ID_2" \ - -var "root_id_3=$TF_ROOT_ID_3" \ + -var "root_id=$TF_ROOT_ID" \ -var "root_name=ES-$TF_VERSION-$TF_AZ_VERSION" \ + -var "primary_location=$PRIMARY_LOCATION" \ + -var "secondary_location=$SECONDARY_LOCATION" \ -auto-approve \ - -parallelism=256 \ - -state="./terraform-$TF_VERSION-$TF_AZ_VERSION.tfstate" + -parallelism="$PARALLELISM" status=$? if [ $status -ne 0 ]; then @@ -34,7 +34,7 @@ if [ $status -ne 0 ]; then IFS=$'\n' - TF_ROOT_ID=("$TF_ROOT_ID_1" "$TF_ROOT_ID_2" "$TF_ROOT_ID_3") + TF_ROOT_ID=("$TF_ROOT_ID") for x in "${TF_ROOT_ID[@]}"; do echo "==> Retrieving management group structure..." TMP_FILE="./data.json" diff --git a/tests/scripts/tf-init.sh b/tests/scripts/tf-init.sh index 491bf2e0..164f52e0 100755 --- a/tests/scripts/tf-init.sh +++ b/tests/scripts/tf-init.sh @@ -6,8 +6,57 @@ set -e # - Terraform Initialize # -echo "==> Switching directories..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" +TF_WORKSPACE="$PIPELINE_WORKSPACE/s/$TEST_MODULE_PATH" -echo "==> Initializaing infrastructure..." +echo "==> Switching directories..." +cd "$TF_WORKSPACE" + +echo "==> Creating terraform_override.tf with required_provider and local backend configuration..." +tee terraform_override.tf < Creating providers_override.tf with subscription configuration and credentials..." +cat >providers_override.tf < Initializaing Terraform workspace..." terraform init diff --git a/tests/scripts/tf-plan.sh b/tests/scripts/tf-plan.sh index 6330a0fc..efa668d8 100755 --- a/tests/scripts/tf-plan.sh +++ b/tests/scripts/tf-plan.sh @@ -5,23 +5,25 @@ set -e # Shell Script # - Terraform Plan # -TF_PLAN_JSON="terraform-plan-$TF_VERSION-$TF_AZ_VERSION" + +TF_WORKSPACE="$PIPELINE_WORKSPACE/s/$TEST_MODULE_PATH" +TF_PLAN_OUT="$TF_WORKSPACE/terraform-plan-$TF_VERSION-$TF_AZ_VERSION" +TF_STATE="../tfstate/terraform-$TF_VERSION-$TF_AZ_VERSION.tfstate" echo "==> Switching directories..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" +cd "$TF_WORKSPACE" echo "==> Planning infrastructure..." terraform plan \ - -var "location=$DEFAULT_LOCATION" \ - -var "root_id_1=$TF_ROOT_ID_1" \ - -var "root_id_2=$TF_ROOT_ID_2" \ - -var "root_id_3=$TF_ROOT_ID_3" \ + -var "root_id=$TF_ROOT_ID" \ -var "root_name=ES-$TF_VERSION-$TF_AZ_VERSION" \ - -state="./terraform-$TF_VERSION-$TF_AZ_VERSION.tfstate" \ - -out="terraform-plan-$TF_VERSION-$TF_AZ_VERSION" + -var "primary_location=$PRIMARY_LOCATION" \ + -var "secondary_location=$SECONDARY_LOCATION" \ + -state="$TF_STATE" \ + -out="$TF_PLAN_OUT" echo "==> Convert plan to JSON..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" && terraform show -json "$TF_PLAN_JSON" >"$TF_PLAN_JSON".json +terraform show -json "$TF_PLAN_OUT" >"$TF_PLAN_OUT".json echo "==> List all plan to JSON..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" && find . -name "*.json" +find . -name "*.json" diff --git a/tests/scripts/tf-prepare.sh b/tests/scripts/tf-prepare.sh index db59c4fc..348c1d77 100755 --- a/tests/scripts/tf-prepare.sh +++ b/tests/scripts/tf-prepare.sh @@ -6,8 +6,10 @@ set -e # - Terraform Prepare # +CREDENTIALS_WORKSPACE="$PIPELINE_WORKSPACE/s/tests" + echo "==> Switching directories..." -cd "$PIPELINE_WORKSPACE/s/tests/deployment" +cd "$CREDENTIALS_WORKSPACE" echo "==> Authenticating cli..." az login \ @@ -51,59 +53,12 @@ openssl pkcs12 \ echo "==> Deleting SPN certificate in PEM format..." shred -uz "$SPN_NAME.pem" -echo "==> Creating provider.tf with required_provider version and credentials..." -cat >provider.tf < Storing Client Certificate Details" +echo "##vso[task.setvariable variable=ARM_CERTIFICATE_CLIENT_ID;]$CERTIFICATE_CLIENT_ID" +echo "##vso[task.setvariable variable=ARM_CERTIFICATE_PATH;]$CREDENTIALS_WORKSPACE/$SPN_NAME.pfx" +echo "##vso[task.setvariable variable=ARM_CERTIFICATE_PASSWORD;]$CERTIFICATE_PASSWORD" -provider "azurerm" { - features {} - - alias = "connectivity" - subscription_id = "$TF_SUBSCRIPTION_ID_CONNECTIVITY" - client_id = "$CERTIFICATE_CLIENT_ID" - client_certificate_path = "$SPN_NAME.pfx" - client_certificate_password = "$CERTIFICATE_PASSWORD" - tenant_id = "$ARM_TENANT_ID" -} - -provider "azurerm" { - features {} - - alias = "management" - subscription_id = "$TF_SUBSCRIPTION_ID_MANAGEMENT" - client_id = "$CERTIFICATE_CLIENT_ID" - client_certificate_path = "$SPN_NAME.pfx" - client_certificate_password = "$CERTIFICATE_PASSWORD" - tenant_id = "$ARM_TENANT_ID" -} -TFCONFIG - -echo "==> Generating root id's..." -ROOT_ID_1="${RANDOM}-es" -ROOT_ID_2="${RANDOM}-es" -ROOT_ID_3="${RANDOM}-es" - -echo "==> Azure Root ID 1 - $ROOT_ID_1" -echo "##vso[task.setvariable variable=TF_ROOT_ID_1;]$ROOT_ID_1" - -echo "==> Azure Root ID 2 - $ROOT_ID_2" -echo "##vso[task.setvariable variable=TF_ROOT_ID_2;]$ROOT_ID_2" - -echo "==> Azure Root ID 3 - $ROOT_ID_3" -echo "##vso[task.setvariable variable=TF_ROOT_ID_3;]$ROOT_ID_3" - -echo "==> Displaying environment variables..." -echo "==> Terraform Version - $TF_VERSION" -echo "==> Terraform Provider Version - $TF_AZ_VERSION" +echo "==> Terraform Variable (Root ID) - $TF_ROOT_ID" +echo "==> Terraform Version - $TF_VERSION" +echo "==> Terraform Provider Version - $TF_AZ_VERSION" echo "==> Terraform Variable (Root Name) - ES-$TF_VERSION-$TF_AZ_VERSION" diff --git a/variables.tf b/variables.tf index b0f6fc16..ffb75c89 100644 --- a/variables.tf +++ b/variables.tf @@ -245,7 +245,60 @@ variable "configure_connectivity_resources" { }) }) ) - vwan_hub_networks = list(object({})) + vwan_hub_networks = list( + object({ + enabled = bool + config = object({ + address_prefix = string + location = string + sku = string + routes = list( + object({ + address_prefixes = list(string) + next_hop_ip_address = string + }) + ) + expressroute_gateway = object({ + enabled = bool + config = object({ + scale_unit = number + }) + }) + vpn_gateway = object({ + enabled = bool + config = object({ + bgp_settings = list( + object({ + asn = number + peer_weight = number + instance_0_bgp_peering_address = list( + object({ + custom_ips = list(string) + }) + ) + instance_1_bgp_peering_address = list( + object({ + custom_ips = list(string) + }) + ) + }) + ) + routing_preference = string + scale_unit = number + }) + }) + azure_firewall = object({ + enabled = bool + config = object({ + enable_dns_proxy = bool + sku_tier = string + }) + }) + spoke_virtual_network_resource_ids = list(string) + enable_virtual_hub_connections = bool + }) + }) + ) ddos_protection_plan = object({ enabled = bool config = object({