Fix for updated policy in Deploy-SQL-Security (#1654)

docs/wiki/ALZ-Deprecated-Services.md

@@ -34,6 +34,7 @@ Policies being deprecated:
 | Deploy SQL Database Vulnerability Assessments<br>ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix |
 | Deploy Microsoft Defender for Cloud configuration<br>ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes |
 | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit<br>ID: [`Enforce-EncryptTransit`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) | Custom initiative replaced by updated custom initiative due to breaking changes |
+| Deploy SQL Database built-in SQL security configuration<br>ID: [`Deploy-SQL-Security`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security.html) | [`Deploy-SQL-Security_20240529`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security_20240529.html) | Custom initiative replaced by updated custom initiative due to breaking changes |
 
 >IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html)
 

src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json

@@ -5,12 +5,14 @@
   "scope": null,
   "properties": {
     "policyType": "Custom",
-    "displayName": "Deploy SQL Database built-in SQL security configuration",
-    "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment",
+    "displayName": "[Deprecated]: Deploy SQL Database built-in SQL security configuration",
+    "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.0.0-deprecated",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
+      "deprecated": true,
+      "supersededBy": "Deploy-Sql-Security_20240529",
       "alzCloudEnvironments": [
         "AzureCloud",
         "AzureChinaCloud",
@@ -114,7 +116,7 @@
       },
       {
         "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity",
-        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments",
         "parameters": {
           "effect": {
             "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]"

src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json

@@ -0,0 +1,135 @@
+{
+  "name": "Deploy-Sql-Security_20240529",
+  "type": "Microsoft.Authorization/policySetDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "displayName": "Deploy SQL Database built-in SQL security configuration",
+    "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "SQL",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "replacesPolicy": "Deploy-Sql-Security",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "vulnerabilityAssessmentsEmail": {
+        "metadata": {
+          "description": "The email address to send alerts",
+          "displayName": "The email address to send alerts"
+        },
+        "type": "Array"
+      },
+      "vulnerabilityAssessmentsStorageID": {
+        "metadata": {
+          "description": "The storage account ID to store assessments",
+          "displayName": "The storage account ID to store assessments"
+        },
+        "type": "String"
+      },
+      "SqlDbTdeDeploySqlSecurityEffect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Deploy SQL Database Transparent Data Encryption ",
+          "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment"
+        }
+      },
+      "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts",
+          "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration"
+        }
+      },
+      "SqlDbAuditingSettingsDeploySqlSecurityEffect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Deploy SQL database auditing settings",
+          "description": "Deploy auditing settings to SQL Database when it not exist in the deployment"
+        }
+      },
+      "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Deploy SQL Database vulnerability Assessments",
+          "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters"
+        }
+      }
+    },
+    "policyDefinitions": [
+      {
+        "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]"
+          },
+          "vulnerabilityAssessmentsEmail": {
+            "value": "[[parameters('vulnerabilityAssessmentsEmail')]"
+          },
+          "vulnerabilityAssessmentsStorageID": {
+            "value": "[[parameters('vulnerabilityAssessmentsStorageID')]"
+          }
+        },
+        "groupNames": []
+      }
+    ],
+    "policyDefinitionGroups": null
+  }
+}

src/templates/initiatives.bicep

@@ -36,6 +36,7 @@ var loadPolicySetDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json')
+    loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')