Denyactionpr

docs/wiki/Whats-new.md

@@ -49,6 +49,10 @@ Major update in this release: introducing the Policy Testing Framework foundatio
   - Deploy-SQL-minTLS
   - Deploy-MySQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available)
   - Deploy-PostgreSQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available)
+  - Additional policy definitions:
+    - `DenyAction-ActivityLogs`
+    - `DenyAction-DiagnosticLogs`
+    - These two policy definitions prevent Activity Log Settings and Diagnostic Settings being deleted leveraging Azure Policy DenyAction functionality
 
 ### July 2023
 

src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json

@@ -0,0 +1,38 @@
+{
+    "name": "DenyAction-ActivityLogs",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "displayName": "DenyAction implementation on Activity Logs",
+        "description": "This is a DenyAction implementation policy on Activity Logs.",
+        "metadata": {
+            "deprecated": false,            
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyRule": {
+            "if": {
+                "field": "type",
+                "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings"
+            },
+            "then": {
+                "effect": "denyAction",
+                "details": {
+                    "actionNames": [
+                        "delete"
+                    ]
+                }
+            }
+        }
+    }
+}

src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json

@@ -0,0 +1,38 @@
+{
+    "name": "DenyAction-DiagnosticLogs",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "displayName": "DenyAction implementation on Diagnostic Logs.",
+        "description": "DenyAction implementation on Diagnostic Logs.",
+        "metadata": {
+            "deprecated": false,
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyRule": {
+            "if": {
+                "field": "type",
+                "equals": "Microsoft.Insights/diagnosticSettings"
+            },
+            "then": {
+                "effect": "denyAction",
+                "details": {
+                    "actionNames": [
+                        "delete"
+                    ]
+                }
+            }
+        }
+    }
+}

src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json

@@ -0,0 +1,37 @@
+{
+    "name": "DenyAction-DeleteProtection",
+    "type": "Microsoft.Authorization/policySetDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings",
+        "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyDefinitions": [
+            {
+                "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings",
+                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings",
+                "parameters": {},
+                "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings",
+                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings",
+                "parameters": {},
+                "groupNames": []
+            }
+        ],
+        "policyDefinitionGroups": null
+    }
+}

src/templates/policies.bicep

@@ -177,6 +177,8 @@ var loadPolicyDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkPrivateDnsZones.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment
@@ -224,6 +226,7 @@ var loadPolicySetDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json')
+    loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning