Merge branch 'main' of https://github.com/Azure/Enterprise-Scale into…

… policy-refresh-q2fy25
Azure · Nov 18, 2024 · af41ba7 · af41ba7
2 parents 601f53a + d123fa5
commit af41ba7
Show file tree

Hide file tree

Showing 9 changed files with 353 additions and 105 deletions.
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           sarif_file: results.sarif
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [November 2024](#november-2024)
   - [🔃 Policy Refresh Q1 FY25](#-policy-refresh-q1-fy25)
   - [October 2024](#october-2024)
   - [September 2024](#september-2024)
@@ -56,6 +57,13 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Added description for custom ALZ policy [Deny-Subnet-Without-Penp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Subnet-Without-Penp.html) to the [ALZ Policies Extra](./ALZ-Policies-Extra) wiki page.
 - Updated initiative [Enforce-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) `AppServiceMinTlsVersion` parameter to include TLS version 1.3 (as supported by the policy).
 
+### November 2024
+
+#### Tooling
+
+- A bug was resolved in the Portal Accelerator that caused deployment validation to fail with the error message "The 'location' property must be specified for 'amba-id-amba-prod-001'". This event happened when a Log Analytics Workspace was not deployed, but Azure Monitor Baseline Alerts were enabled. This issue occurred because Azure Monitor Baseline Alerts depend on the management subscription, which is not provided if the Log Analytics Workspace is not deployed. To address this scenario, an additional section was implemented in the Baseline alerts and monitoring tab allowing the selection of a Management subscription when not deploying a Log Analytics Workspace.
+- Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-11-01). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
+
 ### 🔃 Policy Refresh Q1 FY25
 
 - Updated ALZ custom policies enforcing minimum TLS versions to properly evaluate the minimum TLS version, ensuring services configured to deploy TLS 1.3 will successfully evaluate.
@@ -72,6 +80,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
   - Bot Service (new) -> AI Bot Services
 - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to include an additional parameter that allows you to specify if the Defender for Cloud export to Log Analytics should create a new resource group. This is useful when you want to specify the resource group name or requires tags on resource groups. Will be used by other RIs - Terraform and Bicep (portal accelerator will use default values).
 - Updated Automation Account to disable local authentication by default.
+- Updated the initiative [Deploy-Private-DNS-Zones](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Private-DNS-Zones.html) to reduce the number of parameters required while retaining backward compatibility. The initiative now only requires the subscription ID, resource group name, and location for the private DNS zone. The DNS zone resource id is now generated based on those inputs. This simplifies usage in the upstream Terraform and Bicep modules.
 
 #### Known Issue
 
@@ -83,6 +92,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 - Resolved a bug in the Portal Accelerator related to deploying the single platform subscription setup. Incorrect parameter settings led to the failure of AMBA, as it erroneously attempted to deploy to a standard management group structure instead of a single platform management group as needed.
 - Increasing Policy assignment delay by a couple of minutes to help reduce assignment errors using the portal accelerator experience (the infamous "please wait 30 minutes and try again" error).
+- An issue with the Portal Accelerator regarding the Azure Monitor Baseline Alerts notifications settings was resolved. The problem occurred when no Email Address or Service Hook was specified on the Baseline alerts and monitoring tab. In this scenario, an empty string was converted to an array, resulting in the format `[""]` instead of `[]`. This caused errors during the remediation of the Notification Assets initiative.
 
 ### September 2024
 
@@ -120,8 +130,6 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Fixed a bug that would result in a failed deployment for some multi-region Virtual WAN scenarios with identity networks and gateways.
 - Fixed a bug that had ALZ-LITE deployments try to connect DNS zones twice for single regions deployment.
 
-
-
 ### July 2024
 
 #### Policy
@@ -332,7 +340,6 @@ Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some
 - Updated broken links in [Deploying ALZ ZT Network](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-ZTNetwork#azure-landing-zone-portal-accelerator-deployment-with-zero-trust-network-principles)
 - Added wiki document for recommended Resource Providers to register for Subscriptions in ALZ [ALZ Azure Resource Provider Recommendations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Resource-Provider-Recommendations)
 
-
 ### December 2023
 
 #### Tooling
@@ -542,7 +549,6 @@ We strongly advise staying up-to-date to ensure the best possible security postu
 - [Migrate Azure landing zone policies to Azure built-in policies](https://aka.ms/alz/update/builtin)
 
 > **Please note** that, in some cases, moving to the new Built-In Policy definitions, deploying changes to existing custom policies or removing deprecated policies will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace, Policy Assignment historic data will be stored here as per the retention duration configured. Thank you for your cooperation, and we look forward to continuing to work with you to ensure the security and compliance of our Azure environment.
-
 > While we've made every effort to test the stability of this release, should you have any issues and the guidance provided does not resolve your issue, please open a [GitHub issue](https://github.com/Azure/Enterprise-Scale/issues) so we can do our best to support you and document the fix for others.
 
 #### Policy
@@ -694,7 +700,6 @@ Note that a number of initiatives have been updated that will fail to deploy if
 | [docs/EnterpriseScale-Setup-aad-permissions.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-aad-permissions.md)                   | [wiki/ALZ-Setup-aad-permissions](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions)                       |
 | [docs/EnterpriseScale-Setup-azure.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md)                                       | [wiki/ALZ-Setup-azure](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure)                                           |
 
-
 - Updated the guidance for contributing to the [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale/) repository
 
 #### Tooling
@@ -778,7 +783,6 @@ Note that a number of initiatives have been updated that will fail to deploy if
 | Deploy-Nsg-FlowLogs       | e920df7f-9a64-4066-9b58-52684c02a091 |
 | Deny-PublicIp             | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
 
-
 - "**"Deploy-ASC-SecurityContacts"**" definition update
 
   - displayName and description update to "Deploy Microsoft Defender for Cloud Security Contacts"

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
@@ -390,7 +390,6 @@
                                 }
                             ]
                         },
-
                         {
                             "name": "multiPlatformMgmtSub",
                             "type": "Microsoft.Common.InfoBox",
@@ -1244,6 +1243,41 @@
                             ],
                             "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]"
                         },
+                        {
+                            "name": "AmbaEsMgmtSubSection",
+                            "type": "Microsoft.Common.Section",
+                            "label": "Management subscription",
+                            "elements": [
+                                {
+                                    "name": "AmbaEsMgmtSubUniqueWarningAmba",
+                                    "type": "Microsoft.Common.InfoBox",
+                                    "visible": true,
+                                    "options": {
+                                        "text": "Ensure you select a subscription that is dedicated/unique for Management. Selecting the same Subscription here for Connectivity or Identity will result in a deployment failure. If you want to use a single Subscription for all platform resources, select 'Single' on the 'Azure Core Setup' blade.",
+                                        "uri": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions#organization-and-governance-design-considerations",
+                                        "style": "Warning"
+                                    }
+                                },
+                                {
+                                    "name": "AmbaEsMgmtSub",
+                                    "type": "Microsoft.Common.DropDown",
+                                    "label": "Management subscription",
+                                    "defaultValue": "[parse('[]')]",
+                                    "toolTip": "",
+                                    "multiselect": false,
+                                    "selectAll": false,
+                                    "filter": true,
+                                    "filterPlaceholder": "Filter subscriptions...",
+                                    "multiLine": true,
+                                    "visible": true,
+                                    "constraints": {
+                                        "allowedValues": "[steps('basics').getSubscriptions.data]",
+                                        "required": true
+                                    }
+                                }
+                            ],
+                            "visible": "[and(equals(steps('management').enableLogAnalytics, 'No'), equals(steps('monitor').enableMonitorBaselines,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]"
+                        },
                         {
                             "name": "esAmbaAgConfig",
                             "type": "Microsoft.Common.Section",
@@ -4453,7 +4487,7 @@
                             },
                             "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]"
                         },
-                        { 
+                        {
                             "name": "esIdentitySecondarySubSection",
                             "type": "Microsoft.Common.Section",
                             "label": "Secondary Region Identity",
@@ -4498,7 +4532,7 @@
                                     "visible": "[and(equals(steps('identity').esIdentitySecondarySubSection.esIdentityConnectivitySecondary, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]"
                                 }
                             ]
-                            }                      
+                            }
                     ]
                 },
                 {
@@ -9411,7 +9445,7 @@
                 "enableVmInsights": "[steps('management').enableVmInsights]",
                 "retentionInDays": "[string(steps('management').retentionInDays)]",
                 "enableSentinel": "[steps('management').enableSentinel]",
-                "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]",
+                "managementSubscriptionId": "[if(and(equals(steps('management').enableLogAnalytics, 'No'), equals(steps('monitor').enableMonitorBaselines,'Yes'), not(equals(steps('core').platformSubscription, 'Single'))), steps('monitor').AmbaEsMgmtSubSection.AmbaEsMgmtSub, steps('management').esMgmtSubSection.esMgmtSub )]",
                 "enableAsc": "[steps('management').enableAsc]",
                 "emailContactAsc": "[steps('management').emailContactAsc]",
                 "enableAscForServers": "[steps('management').enableAscForServers]",

diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
@@ -1675,7 +1675,7 @@
         },
         // Declaring root uris for external dependency repositories.
         "rootUris": {
-            "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-09-02/"
+            "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-11-01/"
         },
         // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ
         "azPrivateDnsPolicyAssignmentMapping": {
@@ -2268,7 +2268,7 @@
                         "value": "[parameters('userAssignedManagedIdentityName')]"
                     },
                     "ALZWebhookServiceUri": {
-                        "value": "[array(parameters('ambaAgServiceHook'))]"
+                        "value": "[if(empty(parameters('ambaAgServiceHook')), null(), array(parameters('ambaAgServiceHook')))]"
                     },
                     "ALZArmRoleId": {
                         "value": "[array(parameters('ambaAgArmRole'))]"
@@ -2283,7 +2283,7 @@
                         "value": "[deployment().location]"
                     },
                     "ALZMonitorActionGroupEmail": {
-                        "value": "[array(parameters('ambaAgEmailContact'))]"
+                        "value": "[if(empty(parameters('ambaAgEmailContact')), null(), array(parameters('ambaAgEmailContact')))]"
                     },
                     "managementSubscriptionId": {
                         "value": "[parameters('managementSubscriptionId')]"

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json
@@ -170,9 +170,9 @@
             "azureIotCentralPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azureiotcentral.com')]",
             "azureStorageTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.windows.net')]",
             "azureStorageTableSecondaryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.windows.net')]",
-            "azureSiteRecoveryBackupPrivateDnsZoneID": "[concat(variables('baseId'), replace('privatelink.regionGeoShortCode.backup.windowsazure.com','regionGeoShortCode',variables('azBackupGeoCodes')[toLower(parameters('location'))]))]",
-            "azureSiteRecoveryBlobPrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]",
-            "azureSiteRecoveryQueuePrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]"
+            "azureSiteRecoveryBackupPrivateDnsZoneId": "[concat(variables('baseId'), replace('privatelink.regionGeoShortCode.backup.windowsazure.com','regionGeoShortCode',variables('azBackupGeoCodes')[toLower(parameters('location'))]))]",
+            "azureSiteRecoveryBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]",
+            "azureSiteRecoveryQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]"
         },
         "policyDefinitions": {
             "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]"
@@ -404,14 +404,14 @@
                     "azureStorageTableSecondaryPrivateDnsZoneId": {
                         "value": "[variables('policyParameterMapping').azureStorageTableSecondaryPrivateDnsZoneId]"
                     },
-                    "azureSiteRecoveryBackupPrivateDnsZoneID": {
-                        "value": "[variables('policyParameterMapping').azureSiteRecoveryBackupPrivateDnsZoneID]"
+                    "azureSiteRecoveryBackupPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureSiteRecoveryBackupPrivateDnsZoneId]"
                     },
-                    "azureSiteRecoveryBlobPrivateDnsZoneID": {
-                        "value": "[variables('policyParameterMapping').azureSiteRecoveryBlobPrivateDnsZoneID]"
+                    "azureSiteRecoveryBlobPrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureSiteRecoveryBlobPrivateDnsZoneId]"
                     },
-                    "azureSiteRecoveryQueuePrivateDnsZoneID": {
-                        "value": "[variables('policyParameterMapping').azureSiteRecoveryQueuePrivateDnsZoneID]"
+                    "azureSiteRecoveryQueuePrivateDnsZoneId": {
+                        "value": "[variables('policyParameterMapping').azureSiteRecoveryQueuePrivateDnsZoneId]"
                     }
                 }
             }

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
diff --git a/src/portal/release.json b/src/portal/release.json
@@ -1,5 +1,5 @@
 {
-    "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2024-10-17",
-    "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-10-17/eslzArm/eslzArm.json",
-    "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-10-17/eslzArm/eslz-portal.json"
-}
+    "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2024-11-05",
+    "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-11-05/eslzArm/eslzArm.json",
+    "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-11-05/eslzArm/eslz-portal.json"
+}