allowedValues alignment (#1702)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jack Tracey <[email protected]>
Co-authored-by: Sacha Narinx <[email protected]>

docs/wiki/Whats-new.md

@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [July 2024](#july-2024)
   - [June 2024](#june-2024)
   - [🆕 AMA Updates](#-ama-updates)
   - [🔃 Policy Refresh H2 FY24](#-policy-refresh-h2-fy24)
@@ -46,6 +47,16 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### July 2024
+
+#### Policy
+
+- Alignment of **allowedValues** in the following initiatives with those used in the included policyDefinitions:
+  - [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html)
+  - [Enforce recommended guardrails for Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html)
+  - [Enforce recommended guardrails for Network and Networking services](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html)
+  - [Enforce recommended guardrails for Synapse workspaces](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Synapse.html)
+
 ### June 2024
 
 #### Documentation

eslzArm/managementGroupTemplates/policyDefinitions/policies.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "1159734146410583397"
+      "version": "0.29.47.4906",
+      "templateHash": "49176136240050651"
     }
   },
   "parameters": {

eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "7289710698265093596"
+      "version": "0.29.47.4906",
+      "templateHash": "12429908550017328445"
     }
   },
   "variables": {

src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json

@@ -8,7 +8,7 @@
         "displayName": "Enforce recommended guardrails for Azure Key Vault",
         "description": "Enforce recommended guardrails for Azure Key Vault.",
         "metadata": {
-            "version": "2.0.0",
+            "version": "2.1.0",
             "category": "Key Vault",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -236,8 +236,11 @@
                 "type": "string",
                 "defaultValue": "Disabled",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },

src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json

@@ -8,7 +8,7 @@
         "displayName": "Enforce recommended guardrails for Kubernetes",
         "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.",
         "metadata": {
-            "version": "1.0.0",
+            "version": "1.1.0",
             "category": "Kubernetes",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -81,26 +81,35 @@
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },
             "aksPrivEscalation": {
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },
             "aksAllowedCapabilities": {
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },
@@ -117,17 +126,23 @@
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },
             "aksDefaultNamespace": {
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },
@@ -144,8 +159,11 @@
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
+                    "audit",
                     "Audit",
+                    "deny",
                     "Deny",
+                    "disabled",
                     "Disabled"
                 ]
             },

src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json

@@ -8,7 +8,7 @@
         "displayName": "Enforce recommended guardrails for Network and Networking services",
         "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.",
         "metadata": {
-            "version": "1.0.0",
+            "version": "1.1.0",
             "category": "Network",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -56,7 +56,12 @@
             },
             "vnetModifyDdos": {
                 "type": "string",
-                "defaultValue": "Modify"
+                "defaultValue": "Modify",
+                "allowedValues": [
+                    "Audit",
+                    "Modify",
+                    "Disabled"
+                ]
             },
             "ddosPlanResourceId": {
                 "type": "string",
@@ -229,9 +234,8 @@
                 "type": "string",
                 "defaultValue": "Deny",
                 "allowedValues": [
-                    "Audit",
-                    "Deny",
-                    "Disabled"
+                    "Allow",
+                    "Deny"
                 ]
             },
             "modifyNsgRuleProtocol": {

src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json

@@ -8,7 +8,7 @@
         "displayName": "Enforce recommended guardrails for Synapse workspaces",
         "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.",
         "metadata": {
-            "version": "1.0.0",
+            "version": "1.1.0",
             "category": "Synapse",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -65,7 +65,6 @@
                 "defaultValue": "Audit",
                 "allowedValues": [
                     "Audit",
-                    "Deny",
                     "Disabled"
                 ]
             },