diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index dc0eb4b643..e9a0746f66 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -48,6 +48,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q1 FY25 +- Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html) +- Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region. - Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope. ### June 2024 @@ -62,7 +64,6 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Added new custom policy [Do not allow deletion of specified resource and resource type](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect. - Updated the custom policy [Deploy-ASC-SecurityContacts](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-ASC-SecurityContacts.html) as part of the [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/deploy-mdfc-config.html) initiative to use the new API and revised construct for the Security Contact API in Defender for Cloud (`alertNotications` alias has been deprecated, and replaced by `notificationSources`). -- Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html) #### Other diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 2edbae4ca7..89e201baad 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.28.1.47646", - "templateHash": "1159734146410583397" + "templateHash": "2449863039247600800" } }, "parameters": { @@ -124,7 +124,7 @@ "$fxv#139": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", - "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"uksouth\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json index 25a41b067e..5697371cde 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -34,8 +34,8 @@ "privateDnsZoneId": { "type": "String", "metadata": { - "displayName": "Private DNS Zone ID for Paas services", - "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "displayName": "Private DNS Zone ID for PaaS services", + "description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.", "strongType": "Microsoft.Network/privateDnsZones", "assignPermissions": true } @@ -61,11 +61,24 @@ "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" }, "defaultValue": "PT10M" - } + }, + "location": { + "type": "String", + "metadata": { + "displayName": "Location (Specify the Private Endpoint location)", + "description": "Specify the Private Endpoint location", + "strongType": "location" + }, + "defaultValue": "northeurope" + } }, "policyRule": { "if": { "allOf": [ + { + "field": "location", + "equals": "[[parameters('location')]" + }, { "field": "type", "equals": "Microsoft.Network/privateEndpoints"