diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index 303a749f97..4a787ed477 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -1,533 +1,530 @@ { - "name": "Enforce-EncryptTransit_20240509", - "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "scope": null, + "name": "Enforce-EncryptTransit_20240509", "properties": { - "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "metadata": { - "version": "1.0.0", - "category": "Encryption", - "source": "https://github.com/Azure/Enterprise-Scale/", - "replacesPolicy": "Enforce-EncryptTransit", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", "AzureUSGovernment" - ] + ], + "category": "Encryption", + "replacesPolicy": "Enforce-EncryptTransit", + "source": "https://github.com/Azure/Enterprise-Scale/", + "version": "1.0.0" }, "parameters": { + "AKSIngressHttpsOnlyEffect": { + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "defaultValue": "deny", + "metadata": { + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.", + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster" + }, + "type": "String" + }, + "APIAppServiceHttpsEffect": { + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit", + "metadata": { + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy." + }, + "type": "String" + }, "AppServiceHttpEffect": { - "type": "String", - "defaultValue": "Append", "allowedValues": [ "Append", "Disabled" ], + "defaultValue": "Append", "metadata": { - "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", - "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." - } + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.", + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below" + }, + "type": "String" }, "AppServiceTlsVersionEffect": { - "type": "String", - "defaultValue": "Append", "allowedValues": [ "Append", "Disabled" ], + "defaultValue": "Append", "metadata": { - "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", - "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." - } + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only" + }, + "type": "String" }, "AppServiceminTlsVersion": { - "type": "String", - "defaultValue": "1.2", "allowedValues": [ "1.2", "1.0", "1.1" ], + "defaultValue": "1.2", "metadata": { - "displayName": "App Service. Select version minimum TLS Web App config", - "description": "App Service. Select version minimum TLS version for a Web App config to enforce" - } - }, - "APIAppServiceHttpsEffect": { - "metadata": { - "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + "description": "App Service. Select version minimum TLS version for a Web App config to enforce", + "displayName": "App Service. Select version minimum TLS Web App config" }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] + "type": "String" }, - "FunctionLatestTlsEffect": { - "metadata": { - "displayName": "App Service Function App. Latest TLS version should be used in your Function App", - "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", + "ContainerAppsHttpsOnlyEffect": { "allowedValues": [ - "AuditIfNotExists", + "Audit", + "Deny", "Disabled" - ] - }, - "FunctionServiceHttpsEffect": { + ], + "defaultValue": "Deny", "metadata": { - "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.", + "displayName": "Container Apps should only be accessible over HTTPS" }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] + "type": "String" }, "FunctionAppTlsEffect": { - "metadata": { - "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", - "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." - }, - "type": "string", - "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", "Disabled" - ] - }, - "LogicAppTlsEffect": { - "type": "string", + ], "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "WebAppServiceLatestTlsEffect": { "metadata": { - "displayName": "App Service Web App. Latest TLS version should be used in your Web App", - "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version." }, - "type": "String", - "defaultValue": "AuditIfNotExists", + "type": "string" + }, + "FunctionLatestTlsEffect": { "allowedValues": [ "AuditIfNotExists", "Disabled" - ] - }, - "WebAppServiceHttpsEffect": { + ], + "defaultValue": "AuditIfNotExists", "metadata": { - "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.", + "displayName": "App Service Function App. Latest TLS version should be used in your Function App" }, - "type": "String", - "defaultValue": "Audit", + "type": "String" + }, + "FunctionServiceHttpsEffect": { "allowedValues": [ "Audit", "Disabled", "Deny" - ] - }, - "AKSIngressHttpsOnlyEffect": { + ], + "defaultValue": "Audit", "metadata": { - "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", - "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy." }, - "type": "String", - "defaultValue": "deny", + "type": "String" + }, + "LogicAppTlsEffect": { "allowedValues": [ - "audit", - "deny", - "disabled" - ] + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "type": "string" }, "MySQLEnableSSLDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", "Disabled" ], + "defaultValue": "DeployIfNotExists", "metadata": { - "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server" + }, + "type": "String" }, "MySQLEnableSSLEffect": { - "metadata": { - "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", - "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - }, - "type": "String", - "defaultValue": "Audit", "allowedValues": [ "Audit", "Disabled", "Deny" - ] + ], + "defaultValue": "Audit", + "metadata": { + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers" + }, + "type": "String" }, "MySQLminimalTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", "allowedValues": [ "TLS1_2", "TLS1_0", "TLS1_1", "TLSEnforcementDisabled" ], + "defaultValue": "TLS1_2", "metadata": { - "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", - "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" - } + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce", + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server" + }, + "type": "String" }, "PostgreSQLEnableSSLDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", "Disabled" ], + "defaultValue": "DeployIfNotExists", "metadata": { - "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server" + }, + "type": "String" }, "PostgreSQLEnableSSLEffect": { - "metadata": { - "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", - "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - }, - "type": "String", - "defaultValue": "Audit", "allowedValues": [ "Audit", "Disabled", "Deny" - ] + ], + "defaultValue": "Audit", + "metadata": { + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers" + }, + "type": "String" }, "PostgreSQLminimalTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", "allowedValues": [ "TLS1_2", "TLS1_0", "TLS1_1", "TLSEnforcementDisabled" ], + "defaultValue": "TLS1_2", "metadata": { - "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", - "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" - } - }, - "RedisTLSDeployEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce", + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server" + }, + "type": "String" }, "RedisMinTlsVersion": { - "type": "String", - "defaultValue": "1.2", "allowedValues": [ "1.2", "1.0", "1.1" ], + "defaultValue": "1.2", "metadata": { - "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", - "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" - } + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce", + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis" + }, + "type": "String" }, - "RedisTLSEffect": { + "RedisTLSDeployEffect": { + "allowedValues": [ + "Append", + "Disabled" + ], + "defaultValue": "Append", "metadata": { - "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", - "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis" }, - "type": "String", - "defaultValue": "Audit", + "type": "String" + }, + "RedisTLSEffect": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "SQLManagedInstanceTLSDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" ], + "defaultValue": "Audit", "metadata": { - "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled" + }, + "type": "String" }, "SQLManagedInstanceMinTlsVersion": { - "type": "String", - "defaultValue": "1.2", "allowedValues": [ "1.2", "1.0", "1.1" ], + "defaultValue": "1.2", "metadata": { - "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", - "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" - } + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce", + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance" + }, + "type": "String" }, - "SQLManagedInstanceTLSEffect": { + "SQLManagedInstanceTLSDeployEffect": { + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", "metadata": { - "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers" }, - "type": "String", - "defaultValue": "Audit", + "type": "String" + }, + "SQLManagedInstanceTLSEffect": { "allowedValues": [ "Audit", "Disabled", "Deny" - ] + ], + "defaultValue": "Audit", + "metadata": { + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2" + }, + "type": "String" }, "SQLServerTLSDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", "Disabled" ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers" + }, + "type": "String" + }, + "SQLServerTLSEffect": { + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit", "metadata": { - "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2" + }, + "type": "String" }, "SQLServerminTlsVersion": { - "type": "String", - "defaultValue": "1.2", "allowedValues": [ "1.2", "1.0", "1.1" ], + "defaultValue": "1.2", "metadata": { - "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", - "description": "Select version minimum TLS version for Azure SQL Database to enforce" - } - }, - "SQLServerTLSEffect": { - "metadata": { - "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + "description": "Select version minimum TLS version for Azure SQL Database to enforce", + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database" }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] + "type": "String" }, "StorageDeployHttpsEnabledEffect": { - "metadata": { - "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" - }, - "type": "String", - "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", "Disabled" - ] + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled" + }, + "type": "String" }, "StorageminimumTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", "allowedValues": [ "TLS1_2", "TLS1_1", "TLS1_0" ], + "defaultValue": "TLS1_2", "metadata": { - "displayName": "Storage Account select minimum TLS version", - "description": "Select version minimum TLS version on Azure Storage Account to enforce" - } - }, - "ContainerAppsHttpsOnlyEffect": { - "metadata": { - "displayName": "Container Apps should only be accessible over HTTPS", - "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + "description": "Select version minimum TLS version on Azure Storage Account to enforce", + "displayName": "Storage Account select minimum TLS version" }, - "type": "String", - "defaultValue": "Deny", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] + "type": "String" }, - "logicAppHttpsEffect": { - "type": "string", - "defaultValue": "Deny", + "WebAppServiceHttpsEffect": { "allowedValues": [ "Audit", - "Deny", - "Disabled" - ] + "Disabled", + "Deny" + ], + "defaultValue": "Audit", + "metadata": { + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy." + }, + "type": "String" }, - "appServiceAppsTls": { - "type": "string", - "defaultValue": "DeployIfNotExists", + "WebAppServiceLatestTlsEffect": { "allowedValues": [ - "DeployIfNotExists", + "AuditIfNotExists", "Disabled" - ] + ], + "defaultValue": "AuditIfNotExists", + "metadata": { + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.", + "displayName": "App Service Web App. Latest TLS version should be used in your Web App" + }, + "type": "String" }, - "functionAppSlotsTls": { - "type": "string", - "defaultValue": "DeployIfNotExists", + "appServiceAppSlotTls": { "allowedValues": [ "DeployIfNotExists", "Disabled" - ] + ], + "defaultValue": "DeployIfNotExists", + "type": "string" }, - "appServiceAppsHttps": { - "type": "string", - "defaultValue": "Deny", + "appServiceAppSlotsHttps": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "appServiceTls": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "appServiceAppsHttps": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "appServiceAppSlotTls": { - "type": "string", - "defaultValue": "DeployIfNotExists", + "appServiceAppsTls": { "allowedValues": [ "DeployIfNotExists", "Disabled" - ] + ], + "defaultValue": "DeployIfNotExists", + "type": "string" }, - "functionAppSlotsHttps": { - "type": "string", - "defaultValue": "Deny", + "appServiceTls": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "functionAppHttps": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "containerAppsHttps": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "appServiceAppSlotsHttps": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "eventHubMinTls": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "containerAppsHttps": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "functionAppHttps": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "eventHubMinTls": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "functionAppSlotsHttps": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" + }, + "functionAppSlotsTls": { + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "type": "string" }, - "sqlManagedTlsVersion": { - "type": "string", - "defaultValue": "Audit", + "logicAppHttpsEffect": { "allowedValues": [ "Audit", + "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, "sqlDbTls": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" + }, + "sqlManagedTlsVersion": { + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit", + "type": "string" }, "storageAccountsTls": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, "synapseTlsVersion": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" } }, + "policyDefinitionGroups": null, "policyDefinitions": [ { - "policyDefinitionReferenceId": "AppServiceHttpEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('AppServiceHttpEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "policyDefinitionReferenceId": "AppServiceHttpEffect" }, { - "policyDefinitionReferenceId": "AppServiceminTlsVersion", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('AppServiceTlsVersionEffect')]" @@ -536,71 +533,71 @@ "value": "[[parameters('AppServiceminTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "policyDefinitionReferenceId": "AppServiceminTlsVersion" }, { - "policyDefinitionReferenceId": "FunctionLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('FunctionLatestTlsEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "policyDefinitionReferenceId": "FunctionLatestTlsEffect" }, { - "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('WebAppServiceLatestTlsEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect" }, { - "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('APIAppServiceHttpsEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect" }, { - "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('FunctionServiceHttpsEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect" }, { - "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('WebAppServiceHttpsEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect" }, { - "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect" }, { - "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLDeployEffect')]" @@ -609,11 +606,11 @@ "value": "[[parameters('MySQLminimalTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect" }, { - "policyDefinitionReferenceId": "MySQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLEffect')]" @@ -622,11 +619,11 @@ "value": "[[parameters('MySQLminimalTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "policyDefinitionReferenceId": "MySQLEnableSSLEffect" }, { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" @@ -635,11 +632,11 @@ "value": "[[parameters('PostgreSQLminimalTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect" }, { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLEffect')]" @@ -648,11 +645,11 @@ "value": "[[parameters('PostgreSQLminimalTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect" }, { - "policyDefinitionReferenceId": "RedisTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -661,21 +658,21 @@ "value": "[[parameters('RedisMinTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "policyDefinitionReferenceId": "RedisTLSDeployEffect" }, { - "policyDefinitionReferenceId": "RedisdisableNonSslPort", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "policyDefinitionReferenceId": "RedisdisableNonSslPort" }, { - "policyDefinitionReferenceId": "RedisDenyhttps", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('RedisTLSEffect')]" @@ -684,11 +681,11 @@ "value": "[[parameters('RedisMinTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "policyDefinitionReferenceId": "RedisDenyhttps" }, { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" @@ -697,11 +694,11 @@ "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect" }, { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSEffect')]" @@ -710,11 +707,11 @@ "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect" }, { - "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('SQLServerTLSDeployEffect')]" @@ -723,11 +720,11 @@ "value": "[[parameters('SQLServerminTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect" }, { - "policyDefinitionReferenceId": "SQLServerTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('SQLServerTLSEffect')]" @@ -736,11 +733,11 @@ "value": "[[parameters('SQLServerminTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "policyDefinitionReferenceId": "SQLServerTLSEffect" }, { - "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" @@ -749,189 +746,192 @@ "value": "[[parameters('StorageMinimumTlsVersion')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect" }, { - "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "groupNames": [], "parameters": { "effect": { "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" } }, - "groupNames": [] + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect" }, { - "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('FunctionAppTlsEffect')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls" }, { - "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('LogicAppTlsEffect')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", - "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('logicAppHttpsEffect')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", - "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('functionAppSlotsTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", - "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appServiceAppsTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", - "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appServiceAppsHttps')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", - "policyDefinitionReferenceId": "Deny-AppService-Tls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appServiceTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", - "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appServiceAppSlotTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", - "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('functionAppSlotsHttps')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", - "policyDefinitionReferenceId": "Deny-FunctionApp-Https", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('functionAppHttps')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "policyDefinitionReferenceId": "Deny-FunctionApp-Https" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", - "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appServiceAppSlotsHttps')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", - "policyDefinitionReferenceId": "Deny-ContainerApps-Https", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('containerAppsHttps')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "Deny-ContainerApps-Https" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS", - "policyDefinitionReferenceId": "Deny-EH-MINTLS", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('eventHubMinTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minNTLS", + "policyDefinitionReferenceId": "Deny-EH-minTLS" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", - "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('sqlManagedTlsVersion')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", - "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('sqlDbTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", - "policyDefinitionReferenceId": "Deny-Storage-Tls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountsTls')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "policyDefinitionReferenceId": "Deny-Storage-Tls" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", - "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('synapseTlsVersion')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version" } ], - "policyDefinitionGroups": null - } -} \ No newline at end of file + "policyType": "Custom" + }, + "scope": null, + "type": "Microsoft.Authorization/policySetDefinitions" +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json index 4c67ef5539..6f393a3ae8 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -1,344 +1,340 @@ { - "name": "Enforce-Guardrails-Network", - "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "scope": null, + "name": "Enforce-Guardrails-Network", "properties": { - "policyType": "Custom", - "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", + "displayName": "Enforce recommended guardrails for Network and Networking services", "metadata": { - "version": "1.0.0", - "category": "Network", - "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", "AzureUSGovernment" - ] + ], + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "version": "1.0.0" }, "parameters": { - "subnetUdr": { - "type": "string", - "defaultValue": "Deny", + "afwEmptyIDPSBypassList": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "subnetNsg": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "afwEnableAllIDPSSignatureRules": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "subnetServiceEndpoint": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "afwEnableIDPS": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "appGwWaf": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "afwEnableTlsInspection": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "vnetModifyDdos": { - "type": "string", - "defaultValue": "Modify" - }, - "ddosPlanResourceId": { - "type": "string", - "defaultValue": "" - }, - "wafMode": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "afwEnbaleTlsForAllAppRules": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "wafModeRequirement": { - "type": "string", - "defaultValue": "Prevention" - }, - "wafFwRules": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "appGwTlsVersion": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "wafModeAppGw": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "appGwWaf": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "wafModeAppGwRequirement": { - "type": "string", - "defaultValue": "Prevention" + "ddosPlanResourceId": { + "defaultValue": "", + "type": "string" }, "denyMgmtFromInternet": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, "denyMgmtFromInternetPorts": { - "type": "Array", - "metadata": { - "displayName": "Ports", - "description": "Ports to be blocked" - }, "defaultValue": [ "22", "3389" - ] + ], + "metadata": { + "description": "Ports to be blocked", + "displayName": "Ports" + }, + "type": "Array" }, - "afwEnbaleTlsForAllAppRules": { - "type": "string", - "defaultValue": "Deny", + "modifyNsg": { "allowedValues": [ - "Audit", - "Deny", + "Modify", "Disabled" - ] + ], + "defaultValue": "Disabled", + "type": "string" }, - "afwEnableTlsInspection": { - "type": "string", - "defaultValue": "Deny", + "modifyNsgRuleAccess": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "afwEmptyIDPSBypassList": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "modifyNsgRuleDescription": { + "defaultValue": "Deny any outbound traffic to the Internet", + "type": "string" + }, + "modifyNsgRuleDestinationAddressPrefix": { + "defaultValue": "Internet", + "type": "string" + }, + "modifyNsgRuleDestinationPortRange": { + "defaultValue": "*", + "type": "string" + }, + "modifyNsgRuleDirection": { + "defaultValue": "Outbound", + "type": "string" + }, + "modifyNsgRuleName": { + "defaultValue": "DenyAnyInternetOutbound", + "type": "string" + }, + "modifyNsgRulePriority": { + "defaultValue": 1000, + "type": "integer" + }, + "modifyNsgRuleProtocol": { + "defaultValue": "*", + "type": "string" + }, + "modifyNsgRuleSourceAddressPrefix": { + "defaultValue": "*", + "type": "string" + }, + "modifyNsgRuleSourcePortRange": { + "defaultValue": "*", + "type": "string" + }, + "modifyUdr": { + "defaultValue": "Disabled", + "type": "string" + }, + "modifyUdrAddressPrefix": { + "defaultValue": "0.0.0.0/0", + "type": "string" + }, + "modifyUdrNextHopIpAddress": { + "defaultValue": "", + "type": "string" + }, + "modifyUdrNextHopType": { + "defaultValue": "None", + "type": "string" + }, + "subnetNsg": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "afwEnableAllIDPSSignatureRules": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "subnetServiceEndpoint": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "afwEnableIDPS": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "subnetUdr": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "wafAfdEnabled": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "vnetModifyDdos": { + "defaultValue": "Modify", + "type": "string" + }, + "vpnAzureAD": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "vpnAzureAD": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "wafAfdEnabled": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "appGwTlsVersion": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "wafFwRules": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "modifyUdr": { - "type": "string", - "defaultValue": "Disabled" - }, - "modifyUdrNextHopIpAddress": { - "type": "string", - "defaultValue": "" - }, - "modifyUdrNextHopType": { - "type": "string", - "defaultValue": "None" - }, - "modifyUdrAddressPrefix": { - "type": "string", - "defaultValue": "0.0.0.0/0" + ], + "defaultValue": "Deny", + "type": "string" }, - "modifyNsg": { - "type": "string", - "defaultValue": "Disabled", + "wafMode": { "allowedValues": [ - "Modify", + "Audit", + "Deny", "Disabled" - ] - }, - "modifyNsgRuleName": { - "type": "string", - "defaultValue": "DenyAnyInternetOutbound" - }, - "modifyNsgRulePriority": { - "type": "integer", - "defaultValue": 1000 - }, - "modifyNsgRuleDirection": { - "type": "string", - "defaultValue": "Outbound" - }, - "modifyNsgRuleAccess": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "wafModeAppGw": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "modifyNsgRuleProtocol": { - "type": "string", - "defaultValue": "*" - }, - "modifyNsgRuleSourceAddressPrefix": { - "type": "string", - "defaultValue": "*" - }, - "modifyNsgRuleSourcePortRange": { - "type": "string", - "defaultValue": "*" - }, - "modifyNsgRuleDestinationAddressPrefix": { - "type": "string", - "defaultValue": "Internet" + ], + "defaultValue": "Deny", + "type": "string" }, - "modifyNsgRuleDestinationPortRange": { - "type": "string", - "defaultValue": "*" + "wafModeAppGwRequirement": { + "defaultValue": "Prevention", + "type": "string" }, - "modifyNsgRuleDescription": { - "type": "string", - "defaultValue": "Deny any outbound traffic to the Internet" + "wafModeRequirement": { + "defaultValue": "Prevention", + "type": "string" } }, + "policyDefinitionGroups": null, "policyDefinitions": [ { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", - "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", "groupNames": [], - "parameters": {} + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", - "policyDefinitionReferenceId": "Deny-VPN-AzureAD", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('vpnAzureAD')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "Deny-VPN-AzureAD" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", - "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('wafAfdEnabled')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", - "policyDefinitionReferenceId": "Deny-Waf-IDPS", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('afwEnableIDPS')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "Deny-Waf-IDPS" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", - "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", - "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('afwEmptyIDPSBypassList')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", - "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('afwEnableTlsInspection')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", - "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", - "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", "groupNames": [], "parameters": { "effect": { @@ -347,21 +343,21 @@ "modeRequirement": { "value": "[[parameters('wafModeAppGwRequirement')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", - "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('wafFwRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", - "policyDefinitionReferenceId": "Deny-Waf-mode", "groupNames": [], "parameters": { "effect": { @@ -370,76 +366,76 @@ "modeRequirement": { "value": "[[parameters('wafModeRequirement')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "policyDefinitionReferenceId": "Deny-Waf-mode" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "policyDefinitionReferenceId": "Modify-vNet-DDoS", "groupNames": [], "parameters": { - "effect": { - "value": "[[parameters('vnetModifyDdos')]" - }, "ddosPlan": { "value": "[[parameters('ddosPlanResourceId')]" + }, + "effect": { + "value": "[[parameters('vnetModifyDdos')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyDefinitionReferenceId": "Modify-vNet-DDoS" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", - "policyDefinitionReferenceId": "Deny-Ip-Forwarding", "groupNames": [], - "parameters": {} + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyDefinitionReferenceId": "Deny-Ip-Forwarding" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", - "policyDefinitionReferenceId": "Deny-vNic-Pip", "groupNames": [], - "parameters": {} + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyDefinitionReferenceId": "Deny-vNic-Pip" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", - "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appGwWaf')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-UDR", - "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('subnetUdr')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", - "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('subnetNsg')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", - "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('subnetServiceEndpoint')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", - "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", "groupNames": [], "parameters": { "effect": { @@ -448,23 +444,26 @@ "ports": { "value": "[[parameters('denyMgmtFromInternetPorts')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", - "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('appGwTlsVersion')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", - "policyDefinitionReferenceId": "Modify-Udr", "groupNames": [], "parameters": { + "addressPrefix": { + "value": "[[parameters('modifyUdrAddressPrefix')]" + }, "effect": { "value": "[[parameters('modifyUdr')]" }, @@ -473,31 +472,37 @@ }, "nextHopType": { "value": "[[parameters('modifyUdrNextHopType')]" - }, - "addressPrefix": { - "value": "[[parameters('modifyUdrAddressPrefix')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", + "policyDefinitionReferenceId": "Modify-Udr" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", - "policyDefinitionReferenceId": "Modify-Nsg", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('modifyNsg')]" }, - "nsgRuleName": { - "value": "[[parameters('modifyNsgRuleName')]" + "nsgRuleAccess": { + "value": "[[parameters('modifyNsgRuleAccess')]" }, - "nsgRulePriority": { - "value": "[[parameters('modifyNsgRulePriority')]" + "nsgRuleDescription": { + "value": "[[parameters('modifyNsgRuleDescription')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" }, "nsgRuleDirection": { "value": "[[parameters('modifyNsgRuleDirection')]" }, - "nsgRuleAccess": { - "value": "[[parameters('modifyNsgRuleAccess')]" + "nsgRuleName": { + "value": "[[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[[parameters('modifyNsgRulePriority')]" }, "nsgRuleProtocol": { "value": "[[parameters('modifyNsgRuleProtocol')]" @@ -507,19 +512,14 @@ }, "nsgRuleSourcePortRange": { "value": "[[parameters('modifyNsgRuleSourcePortRange')]" - }, - "nsgRuleDestinationAddressPrefix": { - "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" - }, - "nsgRuleDestinationPortRange": { - "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" - }, - "nsgRuleDescription": { - "value": "[[parameters('modifyNsgRuleDescription')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", + "policyDefinitionReferenceId": "Modify-Nsg" } ], - "policyDefinitionGroups": null - } -} \ No newline at end of file + "policyType": "Custom" + }, + "scope": null, + "type": "Microsoft.Authorization/policySetDefinitions" +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json index 81fe23c337..70460c0fa6 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -1,322 +1,318 @@ { - "name": "Enforce-Guardrails-Storage", - "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "scope": null, + "name": "Enforce-Guardrails-Storage", "properties": { - "policyType": "Custom", - "displayName": "Enforce recommended guardrails for Storage Account", "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", + "displayName": "Enforce recommended guardrails for Storage Account", "metadata": { - "version": "1.0.0", - "category": "Storage", - "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", "AzureUSGovernment" - ] + ], + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "version": "1.0.0" }, "parameters": { - "storageKeysExpiration": { - "type": "string", - "defaultValue": "Deny", + "modifyStorageAccountPublicEndpoint": { "allowedValues": [ - "Audit", - "Deny", + "Modify", "Disabled" - ] + ], + "defaultValue": "Modify", + "type": "string" }, - "storageAccountNetworkRules": { - "type": "string", - "defaultValue": "Deny", + "modifyStorageFileSyncPublicEndpoint": { "allowedValues": [ - "Audit", - "Deny", + "Modify", "Disabled" - ] + ], + "defaultValue": "Modify", + "type": "string" }, - "storageAccountRestrictNetworkRules": { - "type": "string", - "defaultValue": "Deny", + "storageAccountNetworkRules": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageThreatProtection": { - "type": "string", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "storageClassicToArm": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageAccountRestrictNetworkRules": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageAccountsInfraEncryption": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageAccountSharedKey": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageAccountSharedKey": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageAccountsAllowedCopyScope": { + "defaultValue": "AAD", + "type": "string" + }, + "storageAccountsCopyScope": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, "storageAccountsCrossTenant": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, "storageAccountsDoubleEncryption": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageAccountsCopyScope": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageAccountsInfraEncryption": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "storageAccountsAllowedCopyScope": { - "type": "string", - "defaultValue": "AAD" + "storageAccountsModifyDisablePublicNetworkAccess": { + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "type": "string" }, - "storageServicesEncryption": { - "type": "string", - "defaultValue": "Deny", + "storageAllowedNetworkAclsBypass": { + "defaultValue": [ + "None" + ], + "type": "array" + }, + "storageClassicToArm": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "storageLocalUser": { - "type": "string", - "defaultValue": "Disabled", + "storageContainerDeleteRetentionPolicy": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageSftp": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageCorsRules": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageNetworkAclsBypass": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageKeysExpiration": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageAllowedNetworkAclsBypass": { - "type": "array", - "defaultValue": [ - "None" - ] - }, - "storageResourceAccessRulesTenantId": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageLocalUser": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Disabled", + "type": "string" }, - "storageResourceAccessRulesResourceId": { - "type": "string", - "defaultValue": "Deny", + "storageMinContainerDeleteRetentionInDays": { + "defaultValue": 7, + "type": "Integer" + }, + "storageNetworkAclsBypass": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, "storageNetworkAclsVirtualNetworkRules": { - "type": "string", - "defaultValue": "Deny", "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageContainerDeleteRetentionPolicy": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageResourceAccessRulesResourceId": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] - }, - "storageMinContainerDeleteRetentionInDays": { - "type": "Integer", - "defaultValue": 7 - }, - "storageCorsRules": { - "type": "string", + ], "defaultValue": "Deny", + "type": "string" + }, + "storageResourceAccessRulesTenantId": { "allowedValues": [ "Audit", "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "modifyStorageFileSyncPublicEndpoint": { - "type": "string", - "defaultValue": "Modify", + "storageServicesEncryption": { "allowedValues": [ - "Modify", + "Audit", + "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "modifyStorageAccountPublicEndpoint": { - "type": "string", - "defaultValue": "Modify", + "storageSftp": { "allowedValues": [ - "Modify", + "Audit", + "Deny", "Disabled" - ] + ], + "defaultValue": "Deny", + "type": "string" }, - "storageAccountsModifyDisablePublicNetworkAccess": { - "type": "string", - "defaultValue": "Modify", + "storageThreatProtection": { "allowedValues": [ - "Modify", + "DeployIfNotExists", "Disabled" - ] + ], + "defaultValue": "DeployIfNotExists", + "type": "string" } }, + "policyDefinitionGroups": null, "policyDefinitions": [ { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", - "policyDefinitionReferenceId": "Deny-Storage-CopyScope", "groupNames": [], "parameters": { - "effect": { - "value": "[[parameters('storageAccountsCopyScope')]" - }, "allowedCopyScope": { "value": "[[parameters('storageAccountsAllowedCopyScope')]" + }, + "effect": { + "value": "[[parameters('storageAccountsCopyScope')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", + "policyDefinitionReferenceId": "Deny-Storage-CopyScope" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", - "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageServicesEncryption')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", + "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", - "policyDefinitionReferenceId": "Deny-Storage-LocalUser", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageLocalUser')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", + "policyDefinitionReferenceId": "Deny-Storage-LocalUser" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-Sftp", - "policyDefinitionReferenceId": "Deny-Storage-Sftp", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageSftp')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP", + "policyDefinitionReferenceId": "Deny-Storage-SFTP" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", - "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", "groupNames": [], "parameters": { - "effect": { - "value": "[[parameters('storageNetworkAclsBypass')]" - }, "allowedBypassOptions": { "value": "[[parameters('storageAllowedNetworkAclsBypass')]" + }, + "effect": { + "value": "[[parameters('storageNetworkAclsBypass')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", - "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageResourceAccessRulesTenantId')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", - "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageResourceAccessRulesResourceId')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", - "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", - "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", "groupNames": [], "parameters": { "effect": { @@ -325,139 +321,143 @@ "minContainerDeleteRetentionInDays": { "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", + "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy" }, { - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", - "policyDefinitionReferenceId": "Deny-Storage-CorsRules", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageCorsRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", + "policyDefinitionReferenceId": "Deny-Storage-CorsRules" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", - "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountsDoubleEncryption')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", + "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", - "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountsCrossTenant')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", + "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", - "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountSharedKey')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "policyDefinitionReferenceId": "Deny-Storage-Shared-Key" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", - "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountsInfraEncryption')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", - "policyDefinitionReferenceId": "Deny-Storage-Classic", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageClassicToArm')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "policyDefinitionReferenceId": "Deny-Storage-Classic" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", - "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageThreatProtection')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", + "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", - "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountRestrictNetworkRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", - "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountNetworkRules')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "policyDefinitionReferenceId": "Deny-Storage-NetworkRules" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", - "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageKeysExpiration')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", - "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", + "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", - "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('modifyStorageAccountPublicEndpoint')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint" }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", - "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", "groupNames": [], "parameters": { "effect": { "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" } - } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", + "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint" } ], - "policyDefinitionGroups": null - } -} \ No newline at end of file + "policyType": "Custom" + }, + "scope": null, + "type": "Microsoft.Authorization/policySetDefinitions" +}